Fix OAuth2 redirects when reusing state

ChangeLog.md

@@ -3,6 +3,12 @@ Web Authentication change log
 
 ## ?.?.? / ????-??-??
 
+## 5.2.1 / 2024-11-03
+
+* Fixed OAuth2 implementation to redirect to the correct target URL when
+  reusing state from a previous authorization flow.
+  (@thekid)
+
 ## 5.2.0 / 2024-07-17
 
 * Merged PR #31: Make it possible to change the session namespace (CAS)

src/main/php/web/auth/oauth/OAuth2Flow.class.php

@@ -107,15 +107,9 @@ public function authenticate($request, $response, $session) {
     // Start authorization flow to acquire an access token
     $server= $request->param('state');
     if (null === $stored || null === $server) {
-
-      // Reuse state
-      if (isset($stored['state'])) {
-        $state= $stored['state'];
-      } else {
-        $state= bin2hex($this->rand->bytes(16));
-        $session->register($this->namespace, ['state' => $state, 'target' => (string)$uri]);
-        $session->transmit($response);
-      }
+      $state= $stored['state'] ?? bin2hex($this->rand->bytes(16));
+      $session->register($this->namespace, ['state' => $state, 'target' => (string)$uri]);
+      $session->transmit($response);
 
       // Redirect the user to the authorization page
       $params= [

src/test/php/web/auth/unittest/OAuth2FlowTest.class.php

@@ -183,8 +183,9 @@ public function reuses_state_when_previous_redirect_incomplete() {
     $session= (new ForTesting())->create();
     $session->register('oauth2::flow', ['state' => 'REUSED_STATE', 'target' => self::SERVICE]);
 
-    $this->authenticate($fixture, '/', $session);
+    $this->authenticate($fixture, '/new', $session);
     Assert::equals('REUSED_STATE', $session->value(self::SNS)['state']);
+    Assert::equals('http://localhost/new', $session->value(self::SNS)['target']);
   }
 
   #[Test]