encrypt cookies containing callback state

avdb13 · avdb13 · commit f29e5773f4d0 · 2025-11-14T09:21:18.000Z
diff --git a/packages/common/src/cookie.ts b/packages/common/src/cookie.ts
@@ -1,10 +1,10 @@
 import { sealData, unsealData } from "iron-session";
 
-type SameSite = 'Strict' | 'Lax' | 'None';
+export type SameSite = Lowercase<'Strict' | 'Lax' | 'None'>;
 
 export interface Response {
-  setCookie(name: string, value: string, options: CookieOptions): void;
-  clearCookie(name: string, options: CookieOptions): void;
+  cookie(name: string, value: string, options: CookieOptions): Response;
+  clearCookie(name: string, options?: CookieOptions): Response;
 }
 
 export interface Request {
@@ -49,7 +49,7 @@ export class CookieJar {
       cookie: {
         httpOnly: true,
         secure: !devMode,
-        sameSite: "Lax" as const,
+        sameSite: "lax" as const,
         path: "/",
         maxAge: ttl * 1000,
       },
@@ -62,7 +62,7 @@ export class CookieJar {
       ttl: this.options.ttl,
     });
 
-    resp.setCookie(name, sealed, this.options.cookie);
+    resp.cookie(name, sealed, this.options.cookie);
   }
 
   async get<T>(req: Request, name: string, onError: (...args: string[]) => void): Promise<T | null> {
diff --git a/packages/pds/src/api/com/atproto/sso/getCallback.ts b/packages/pds/src/api/com/atproto/sso/getCallback.ts
@@ -58,8 +58,6 @@ export default function (server: Server, ctx: AppContext) {
         throw new InvalidRequestError(`Missing code in callback response`);
       }
 
-      const { code, state } = params;
-
       const session: SessionData | null = await ctx.cookieJar.get(req, "atproto-callback", (msg, error) => {
         log.error(`Cookie error: ${msg} ${error}`);
       });
@@ -69,7 +67,7 @@ export default function (server: Server, ctx: AppContext) {
       }
 
       // CSRF protection: compare state from URL with state from session
-      if (session.state !== state) {
+      if (session.state !== params.state) {
         await ctx.ssoManager.deleteAuthCallback(session.state);
         ctx.cookieJar.clear(res, "atproto-callback");
 
@@ -114,7 +112,7 @@ export default function (server: Server, ctx: AppContext) {
 
       const data = new URLSearchParams({
         grant_type: "authorization_code",
-        code,
+        code: params.code,
         redirect_uri: callback.redirectUri,
         client_id: idp.clientId,
       });
