fix(oauth): correctly remove code_verifier cookie when used (#2325 )

Co-authored-by: Pol Bonastre <pbonastre@plainconcepts.com>
2026-05-01 10:55:20 +00:00 · 2021-07-08 17:24:56 +02:00
1 changed files with 5 additions and 1 deletions
--- a/src/server/lib/oauth/pkce-handler.js
+++ b/src/server/lib/oauth/pkce-handler.js
@@ -36,7 +36,11 @@ export async function handleCallback (req, res) {
      pkceLength: PKCE_LENGTH,
      method: PKCE_CODE_CHALLENGE_METHOD
    })
-    cookie.set(res, cookies.pkceCodeVerifier.name, null, { maxAge: 0 }) // remove PKCE after it has been used
+    // remove PKCE after it has been used
+    cookie.set(res, cookies.pkceCodeVerifier.name, "", { 
+      ...cookies.pkceCodeVerifier.options,
+      maxAge: 0 
+    })
  } catch (error) {
    logger.error('CALLBACK_OAUTH_ERROR', error)
    return res.redirect(`${baseUrl}${basePath}/error?error=OAuthCallback`)