Merge pull request #456 from rowboatlabs/hotfix-google-oauth

fix oauth callback params propagation
2026-04-25 00:16:29 +02:00 · 2026-03-31 14:59:14 +05:30 · 2026-03-31 14:59:14 +05:30 · f7e6f783ba
commit f7e6f783ba
parent 983a4c578f 1c5e5afda8
3 changed files with 6 additions and 6 deletions
--- a/apps/x/apps/main/src/auth-server.ts
+++ b/apps/x/apps/main/src/auth-server.ts
@ -25,7 +25,7 @@ export interface AuthServerResult {
 */
 export function createAuthServer(
  port: number = DEFAULT_PORT,
-  onCallback: (code: string, state: string) => void | Promise<void>
+  onCallback: (params: Record<string, string>) => void | Promise<void>
 ): Promise<AuthServerResult> {
  return new Promise((resolve, reject) => {
    const server = createServer((req, res) => {
@ -67,7 +67,7 @@ export function createAuthServer(

        // Handle callback - either traditional OAuth with code/state or Composio-style notification
        // Composio callbacks may not have code/state, just a notification that the flow completed
-        onCallback(code || '', state || '');
+        onCallback(Object.fromEntries(url.searchParams.entries()));

        res.writeHead(200, { 'Content-Type': 'text/html' });
        res.end(`
--- a/apps/x/apps/main/src/composio-handler.ts
+++ b/apps/x/apps/main/src/composio-handler.ts
@ -143,7 +143,7 @@ export async function initiateConnection(toolkitSlug: string): Promise<{

        // Set up callback server
        let cleanupTimeout: NodeJS.Timeout;
-        const { server } = await createAuthServer(8081, async (_code, _state) => {
+        const { server } = await createAuthServer(8081, async () => {
            // OAuth callback received - sync the account status
            try {
                const accountStatus = await composioClient.getConnectedAccount(connectedAccountId);
--- a/apps/x/apps/main/src/oauth-handler.ts
+++ b/apps/x/apps/main/src/oauth-handler.ts
@ -186,9 +186,9 @@ export async function connectProvider(provider: string, clientId?: string): Prom
    });

    // Create callback server
-    const { server } = await createAuthServer(8080, async (code, receivedState) => {
+    const { server } = await createAuthServer(8080, async (params: Record<string, string>) => {
      // Validate state
-      if (receivedState !== state) {
+      if (params.state !== state) {
        throw new Error('Invalid state parameter - possible CSRF attack');
      }

@ -199,7 +199,7 @@ export async function connectProvider(provider: string, clientId?: string): Prom

      try {
        // Build callback URL for token exchange
-        const callbackUrl = new URL(`${REDIRECT_URI}?code=${code}&state=${receivedState}`);
+        const callbackUrl = new URL(`${REDIRECT_URI}?${new URLSearchParams(params).toString()}`);

        // Exchange code for tokens
        console.log(`[OAuth] Exchanging authorization code for tokens (${provider})...`);