feat(state): Base64 encoding instead of uri encoding of state param for yahoo (#658)

arushi364 · web-flow · commit b196a7b72c26 · 2023-01-24T23:24:41.000Z
* base 64 encoding of state param for yahoo

* Add a property base64_state to change the encoding

* add comment in yahoo module

* add more tests

* Address review comments
diff --git a/src/hello.js b/src/hello.js
@@ -375,7 +375,12 @@ hello.utils.extend(hello, {
 		}
 
 		// Convert state to a string
-		p.qs.state = encodeURIComponent(JSON.stringify(p.qs.state));
+		if (provider.oauth.base64_state) {
+			p.qs.state = window.btoa(JSON.stringify(p.qs.state));
+		}
+		else {
+			p.qs.state = encodeURIComponent(JSON.stringify(p.qs.state));
+		}
 
 		// URL
 		if (parseInt(provider.oauth.version, 10) === 1) {
diff --git a/src/modules/yahoo.js b/src/modules/yahoo.js
@@ -9,7 +9,10 @@
 				version: '1.0a',
 				auth: 'https://api.login.yahoo.com/oauth/v2/request_auth',
 				request: 'https://api.login.yahoo.com/oauth/v2/get_request_token',
-				token: 'https://api.login.yahoo.com/oauth/v2/get_token'
+				token: 'https://api.login.yahoo.com/oauth/v2/get_token',
+				// Yahoo requires the state param to be base 64 encoded, hence the flag base64_state is set to true for Yahoo.
+				// Else uri encoding is used for all the other providers.
+				base64_state: true
 			},
 
 			// Login handler
diff --git a/tests/specs/unit/core/hello.login.js b/tests/specs/unit/core/hello.login.js
@@ -154,6 +154,52 @@ describe('hello.login', function() {
 			hello.login('testable', {redirect_uri: REDIRECT_URI});
 		});
 
+		it('should base 64 encode the state if oauth.base64_state is true', function(done) {
+
+			hello.services.testable.oauth.base64_state = true;
+
+			var spy = sinon.spy(function(url, name, optins) {
+				// The url should not contain uri encoded characters
+				expect(url).to.not.contain('state=%7B%22');
+
+				done();
+			});
+
+			utils.popup = spy;
+
+			hello.login('testable');
+		});
+
+		it('should uri encode the state if oauth.base64_state is false', function(done) {
+
+			hello.services.testable.oauth.base64_state = false;
+
+			var spy = sinon.spy(function(url, name, optins) {
+				// The url should contain uri encoded characters
+				expect(url).to.contain('state=%7B%22');
+
+				done();
+			});
+
+			utils.popup = spy;
+
+			hello.login('testable');
+		});
+
+		it('should uri encode the state by default', function(done) {
+
+			var spy = sinon.spy(function(url, name, optins) {
+				// The url should contain uri encoded characters
+				expect(url).to.contain('state=%7B%22');
+
+				done();
+			});
+
+			utils.popup = spy;
+
+			hello.login('testable');
+		});
+
 		it('should pass through unknown scopes defined in `options.scope`', function(done) {
 
 			var spy = sinon.spy(function(url, name, optins) {
