cleanup: don't include state when redirecting back to custom domain; explain csrf token structure

Soxasora · Soxasora · commit 236fb1b53361 · 2025-06-10T04:25:40.000-05:00
diff --git a/middleware.js b/middleware.js
@@ -80,6 +80,7 @@ async function redirectToAuthSync (request, searchParams, domain, signup, header
   // -- CSRF protection --
   // retrieve the csrfToken from the cookie
   const csrfCookie = request.cookies.get('__Host-next-auth.csrf-token')
+  // csrf is stored as token|hash, we only need the token
   const csrfToken = csrfCookie ? csrfCookie.value.split('|')[0] : null
   // bail if we don't have a csrfToken
   if (!csrfToken) return NextResponse.redirect(new URL('/error', request.url), { headers })
@@ -115,6 +116,7 @@ async function establishAuthSync (request, searchParams, headers) {
 
   // -- CSRF protection --
   const csrfCookie = request.cookies.get('__Host-next-auth.csrf-token')
+  // csrf is stored as token|hash, we only need the token
   const csrfToken = csrfCookie ? csrfCookie.value.split('|')[0] : null
   // bail if we don't have a csrfToken
   if (!csrfToken) return NextResponse.redirect(new URL('/error', request.url), { headers })
diff --git a/pages/api/auth/sync.js b/pages/api/auth/sync.js
@@ -142,7 +142,6 @@ async function redirectToDomain (res, domainName, verificationToken, redirectUri
 
     // add the verification sync token and the redirectUri to the URL
     target.searchParams.set('synctoken', verificationToken.split('|')[0])
-    target.searchParams.set('state', verificationToken.split('|')[1])
     target.searchParams.set('redirectUri', redirectUri)
 
     // redirect to the custom domain
