From 9829ae2fb1b1ce9c23b2c5a28c66701f3c97f66b Mon Sep 17 00:00:00 2001
From: Tom Lewis <21278582+tomlewis0@users.noreply.github.com>
Date: Sat, 14 Jun 2025 15:18:44 +0100
Subject: [PATCH 1/2] Pass state param to GitHub

---
 src/runtime/server/lib/oauth/github.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/runtime/server/lib/oauth/github.ts b/src/runtime/server/lib/oauth/github.ts
index 08e074d6..2da6fda3 100644
--- a/src/runtime/server/lib/oauth/github.ts
+++ b/src/runtime/server/lib/oauth/github.ts
@@ -114,7 +114,7 @@ export function defineOAuthGitHubEventHandler({ config, onSuccess, onError }: OA
       authorizationParams: {},
     }) as OAuthGitHubConfig
 
-    const query = getQuery<{ code?: string, error?: string }>(event)
+    const query = getQuery<{ code?: string, error?: string, state?: string }>(event)
 
     if (query.error) {
       const error = createError({
@@ -144,6 +144,7 @@ export function defineOAuthGitHubEventHandler({ config, onSuccess, onError }: OA
           client_id: config.clientId,
           redirect_uri: redirectURL,
           scope: config.scope.join(' '),
+          state: query.state || '',
           ...config.authorizationParams,
         }),
       )

From a7fdfa3ade183513b67c551faad53ae7c0555629 Mon Sep 17 00:00:00 2001
From: Tom Lewis <21278582+tomlewis0@users.noreply.github.com>
Date: Sun, 15 Jun 2025 08:57:35 +0100
Subject: [PATCH 2/2] Use utils for state validation

---
 src/runtime/server/lib/oauth/github.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/runtime/server/lib/oauth/github.ts b/src/runtime/server/lib/oauth/github.ts
index 2da6fda3..a11918b1 100644
--- a/src/runtime/server/lib/oauth/github.ts
+++ b/src/runtime/server/lib/oauth/github.ts
@@ -2,7 +2,7 @@ import type { H3Event } from 'h3'
 import { eventHandler, getQuery, sendRedirect, createError } from 'h3'
 import { withQuery } from 'ufo'
 import { defu } from 'defu'
-import { handleMissingConfiguration, handleAccessTokenErrorResponse, getOAuthRedirectURL, requestAccessToken } from '../utils'
+import { getOAuthRedirectURL, handleAccessTokenErrorResponse, handleInvalidState, handleMissingConfiguration, handleState, requestAccessToken } from '../utils'
 import { useRuntimeConfig } from '#imports'
 import type { OAuthConfig } from '#auth-utils'
 
@@ -131,6 +131,7 @@ export function defineOAuthGitHubEventHandler({ config, onSuccess, onError }: OA
     }
 
     const redirectURL = config.redirectURL || getOAuthRedirectURL(event)
+    const state = await handleState(event)
 
     if (!query.code) {
       config.scope = config.scope || []
@@ -144,12 +145,16 @@ export function defineOAuthGitHubEventHandler({ config, onSuccess, onError }: OA
           client_id: config.clientId,
           redirect_uri: redirectURL,
           scope: config.scope.join(' '),
-          state: query.state || '',
+          state,
           ...config.authorizationParams,
         }),
       )
     }
 
+    if (query.state !== state) {
+      handleInvalidState(event, 'github', onError)
+    }
+
     const tokens = await requestAccessToken(config.tokenURL as string, {
       body: {
         grant_type: 'authorization_code',