From d000914f61353dfd8d0ba20aefe9eeaa30abeed8 Mon Sep 17 00:00:00 2001
From: Jesse Wierzbinski <contact@cpluspatch.com>
Date: Fri, 11 Oct 2024 17:23:51 +0200
Subject: [PATCH] fix(plugin): :bug: Don't incorrectly call errorSearchParams
 before initialization in callback

---
 plugins/openid/routes/oauth/callback.ts | 14 +++++++++++++-
 plugins/openid/utils.ts                 | 21 +++++++++------------
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/plugins/openid/routes/oauth/callback.ts b/plugins/openid/routes/oauth/callback.ts
index 97f571a7..4cac531d 100644
--- a/plugins/openid/routes/oauth/callback.ts
+++ b/plugins/openid/routes/oauth/callback.ts
@@ -91,7 +91,19 @@ export default (plugin: PluginType) => {
                     flowId,
                     currentUrl,
                     redirectUrl,
-                    (error, message) => {
+                    (error, message, flow) => {
+                        const errorSearchParams = new URLSearchParams(
+                            Object.entries({
+                                redirect_uri: flow?.application?.redirectUri,
+                                client_id: flow?.application?.clientId,
+                                response_type: "code",
+                                scope: flow?.application?.scopes,
+                            }).filter(([_, value]) => value !== undefined) as [
+                                string,
+                                string,
+                            ][],
+                        );
+
                         errorSearchParams.append("error", error);
                         errorSearchParams.append("error_description", message);
 
diff --git a/plugins/openid/utils.ts b/plugins/openid/utils.ts
index 440e5655..eb3c6941 100644
--- a/plugins/openid/utils.ts
+++ b/plugins/openid/utils.ts
@@ -1,4 +1,6 @@
 import { db } from "@versia/kit/db";
+import type { InferSelectModel } from "@versia/kit/drizzle";
+import type { Applications, OpenIdLoginFlows } from "@versia/kit/tables";
 import {
     type AuthorizationResponseError,
     type AuthorizationServer,
@@ -15,7 +17,6 @@ import {
     userInfoRequest,
     validateAuthResponse,
 } from "oauth4webapi";
-import type { Application } from "~/classes/functions/application";
 
 export const oauthDiscoveryRequest = (
     issuerUrl: string | URL,
@@ -131,7 +132,11 @@ export const automaticOidcFlow = async (
     errorFn: (
         error: string,
         message: string,
-        app: Application | null,
+        flow:
+            | (InferSelectModel<typeof OpenIdLoginFlows> & {
+                  application?: InferSelectModel<typeof Applications> | null;
+              })
+            | null,
     ) => Response,
 ) => {
     const flow = await getFlow(flowId);
@@ -171,11 +176,7 @@ export const automaticOidcFlow = async (
         const claims = getValidatedIdTokenClaims(result);
 
         if (!claims) {
-            return errorFn(
-                "invalid_request",
-                "Invalid claims",
-                flow.application,
-            );
+            return errorFn("invalid_request", "Invalid claims", flow);
         }
 
         const { sub } = claims;
@@ -196,10 +197,6 @@ export const automaticOidcFlow = async (
         };
     } catch (e) {
         const error = e as ResponseBodyError | AuthorizationResponseError;
-        return errorFn(
-            error.error,
-            error.error_description || "",
-            flow.application,
-        );
+        return errorFn(error.error, error.error_description || "", flow);
     }
 };