[PR #5521] PR: Fix — OAuth per-flow errorCallbackURL on state-mismatch (#5467) #6057

New Issue

GiteaMirror · 2026-03-13T12:46:01-05:00

GiteaMirror commented

2026-03-13 12:46:01 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/5521
Author: @Adityakk9031
Created: 10/23/2025
Status: 🔄 Open

Base: canary ← Head: Fix#5467

📝 Commits (7)

65ca091 PR: Fix — OAuth per-flow errorCallbackURL on state-mismatch (#5467)
0257d0d Merge branch 'canary' into Fix#5467
b0711ca Update state.ts
df6b7ae Merge branch 'Fix#5467' of https://github.com/Adityakk9031/better-auth into Fix#5467
2e77128 Update settings.json
489669e Update init.ts
44c2794 Merge branch 'canary' into Fix#5467

📊 Changes

4 files changed (+80 additions, -13 deletions)

View changed files

📝 .vscode/settings.json (+1 -1)
📝 packages/better-auth/src/init.ts (+2 -0)
📝 packages/better-auth/src/oauth2/state.ts (+43 -12)
📝 packages/core/src/types/init-options.ts (+34 -0)

📄 Description

Summary

This PR addresses issue #5467 — OAuth Error callback URL discrepancies. When an OAuth state cookie check failed (state cookie missing or mismatch), the code always fell back to the global onAPIError.errorURL (or the default backend error page) and ignored the per-flow errorCallbackURL that is stored in the OAuth state. This prevented client/native flows (e.g., Expo deep links) from being redirected to their per-flow error handlers.

This change implements an opt-in, safe mechanism to allow using the parsed per-flow errorCallbackURL on state-mismatch scenarios only when the origin of that per-flow URL is explicitly trusted via a new trustedErrorRedirectOrigins option.

Files changed (high-level)

packages/core/src/init-options.ts (types)
- Add trustedErrorRedirectOrigins?: string[] to BetterAuthOptions so that the option is typed and documented.
packages/better-auth/src/init.ts (runtime initialization)
- Merge a default value into runtime options: trustedErrorRedirectOrigins: options.trustedErrorRedirectOrigins ?? [] so the option is always defined at runtime.
packages/better-auth/src/oauth2/state.ts (state parsing / error redirect)
- Update parseState to prefer the per-flow errorURL on a state-cookie mismatch only if that URL's origin is present in ctx.options.trustedErrorRedirectOrigins (opt-in). Otherwise it falls back to the existing global error URL.

Motivation & security rationale

Problem: per-flow errorCallbackURL is stored inside the OAuth state verification record. When the state cookie mismatch occurs, the code previously did not use the parsed per-flow errorCallbackURL because the cookie mismatch made the state appear untrusted.
Risk: blindly trusting the state payload when cookies are missing opens the door to open-redirect and CSRF-like misuse.
Solution: make per-flow redirects available only when the developer explicitly opts-in via a whitelist of trusted origins (trustedErrorRedirectOrigins). By default this list is empty, preserving the existing secure behavior.

This keeps the security posture conservative (opt-in) while giving native clients (Expo / deep links) a way to receive per-flow redirects for state-mismatch errors.

Implementation details (concise)

`init-options.ts`

Added to BetterAuthOptions:

/**
 * Optional whitelist of origins that are allowed as per-flow error redirect targets.
 * Example: ["https://app.example.com", "myapp://host"]
 * If omitted or empty, parsed per-flow errorCallbackURL will NOT be used on state-mismatch.
 */
trustedErrorRedirectOrigins?: string[];

`init.ts`

Ensure runtime options always has the field defined (defaults to []):

options = {
  ...options,
  // existing defaults ...
  trustedErrorRedirectOrigins: options.trustedErrorRedirectOrigins ?? [],
};

`oauth2/state.ts` (`parseState` change)

Current behavior (before): on state-cookie mismatch the code used c.context.options.onAPIError?.errorURL || default.
New behavior: compute redirectTo as follows:
1. defaultErrorURL = c.context.options.onAPIError?.errorURL || ${c.context.baseURL}/error``
2. If parsedData.errorURL exists and ctx.options.trustedErrorRedirectOrigins is non-empty, try to parse parsedData.errorURL (using new URL(parsedData.errorURL, c.context.baseURL) to support relative URLs).
3. If parsing succeeds and url.origin is present in ctx.options.trustedErrorRedirectOrigins, use parsedData.errorURL as the redirect target.
4. Otherwise fall back to defaultErrorURL.

This logic ensures developers must explicitly list client/native deep-link origins in order to enable per-flow redirects in state-mismatch scenarios.

Example configuration (docs / README snippet)

import { betterAuth } from "better-auth";

export const auth = betterAuth({
  // ...other options
  onAPIError: { errorURL: "https://example.com/error" },
  // Opt-in whitelist for per-flow error redirect targets
  trustedErrorRedirectOrigins: [
    "https://app.example.com",
    "myapp://host",
  ],
});

For Expo/native error deep links, add the app deep link origin (e.g., myapp://host).
Warning: Only list origins you control. This is opt-in and must be populated by the developer to allow per-flow error redirects on state-mismatch.

Tests added / manual validation

Unit tests (suggested):
- parseState when:
  - a) parsedData.errorURL is present and trustedErrorRedirectOrigins includes its origin ⇒ redirected to parsedData.errorURL on state-cookie mismatch
  - b) parsedData.errorURL present but trustedErrorRedirectOrigins is empty ⇒ redirected to global error URL * c) parsedData.errorURL present but origin not in whitelist ⇒ global error URL * d) parsedData.errorURL is relative (e.g., /err) and baseURL origin is in whitelist ⇒ redirect to resolved URL
- Negative tests for malformed URLs in parsedData.errorURL (should fall back to global error URL)
Manual reproduction (QA)
- Reproduce original issue steps (from #5467):
  - Start OAuth flow with an errorCallbackURL set to myapp://host/err and state stored in DB.
  - Simulate missing/mismatched state cookie on callback. * With trustedErrorRedirectOrigins: [] (default) — expect redirect to global backend error page. * With trustedErrorRedirectOrigins: ["myapp://host"] — expect redirect to myapp://host/err?error=state_mismatch.

Docs

Add trustedErrorRedirectOrigins to BetterAuth options docs, explaining purpose, examples, and security warning.
Add migration note: this option is opt-in (default []) — existing behavior unchanged.

Security & backward compatibility

Default behavior unchanged (secure): if trustedErrorRedirectOrigins is empty or not set, per-flow errorCallbackURL will not be used for state-mismatch redirections.
Developers must explicitly opt-in by providing a list of origins they control.

Release notes

Feature: allow per-flow OAuth errorCallbackURL to be used on state-cookie mismatch if the target origin is whitelisted via trustedErrorRedirectOrigins.
Security: default is secure (empty whitelist).

Checklist

Type definitions updated (init-options.ts)
Runtime default merged (init.ts)
parseState modified to check whitelist before honoring per-flow errorCallbackURL (state.ts)
Unit tests added/updated
Docs entry added
Changelog entry added

Reviewer notes

This change introduces a new opt-in surface (trustedErrorRedirectOrigins) — please carefully review the whitelist check in parseState.
Suggested reviewers: security-focused maintainers and OAuth plugin owners.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/5521 **Author:** [@Adityakk9031](https://github.com/Adityakk9031) **Created:** 10/23/2025 **Status:** 🔄 Open **Base:** `canary` ← **Head:** `Fix#5467` --- ### 📝 Commits (7) - [`65ca091`](https://github.com/better-auth/better-auth/commit/65ca0916bcb90879630e1c86dbc46570b14ca91a) PR: Fix — OAuth per-flow errorCallbackURL on state-mismatch (#5467) - [`0257d0d`](https://github.com/better-auth/better-auth/commit/0257d0dd86409209381273f63ab79fb9713ba85a) Merge branch 'canary' into Fix#5467 - [`b0711ca`](https://github.com/better-auth/better-auth/commit/b0711caad15ea8c8b1743f64d8fca896a961f016) Update state.ts - [`df6b7ae`](https://github.com/better-auth/better-auth/commit/df6b7aeae9cec670ec3a809a4bb9364cfa7fa184) Merge branch 'Fix#5467' of https://github.com/Adityakk9031/better-auth into Fix#5467 - [`2e77128`](https://github.com/better-auth/better-auth/commit/2e7712892f033da1f0997d2eb4dc1025f611c0cd) Update settings.json - [`489669e`](https://github.com/better-auth/better-auth/commit/489669e6997ad30bcf5dfba42202b5040845b046) Update init.ts - [`44c2794`](https://github.com/better-auth/better-auth/commit/44c279450cc8847aa5bcb7018d40aa5b5c7b6178) Merge branch 'canary' into Fix#5467 ### 📊 Changes **4 files changed** (+80 additions, -13 deletions) <details> <summary>View changed files</summary> 📝 `.vscode/settings.json` (+1 -1) 📝 `packages/better-auth/src/init.ts` (+2 -0) 📝 `packages/better-auth/src/oauth2/state.ts` (+43 -12) 📝 `packages/core/src/types/init-options.ts` (+34 -0) </details> ### 📄 Description ## Summary This PR addresses issue **#5467 — OAuth Error callback URL discrepancies**. When an OAuth state cookie check failed (state cookie missing or mismatch), the code always fell back to the global `onAPIError.errorURL` (or the default backend error page) and ignored the per-flow `errorCallbackURL` that is stored in the OAuth state. This prevented client/native flows (e.g., Expo deep links) from being redirected to their per-flow error handlers. This change implements an **opt-in, safe mechanism** to allow using the parsed per-flow `errorCallbackURL` on state-mismatch scenarios **only when the origin of that per-flow URL is explicitly trusted** via a new `trustedErrorRedirectOrigins` option. --- ## Files changed (high-level) 1. **`packages/core/src/init-options.ts`** (types) * Add `trustedErrorRedirectOrigins?: string[]` to `BetterAuthOptions` so that the option is typed and documented. 2. **`packages/better-auth/src/init.ts`** (runtime initialization) * Merge a default value into runtime options: `trustedErrorRedirectOrigins: options.trustedErrorRedirectOrigins ?? []` so the option is always defined at runtime. 3. **`packages/better-auth/src/oauth2/state.ts`** (state parsing / error redirect) * Update `parseState` to prefer the per-flow `errorURL` on a state-cookie mismatch *only if* that URL's origin is present in `ctx.options.trustedErrorRedirectOrigins` (opt-in). Otherwise it falls back to the existing global error URL. --- ## Motivation & security rationale * **Problem:** per-flow `errorCallbackURL` is stored inside the OAuth `state` verification record. When the state cookie mismatch occurs, the code previously did not use the parsed per-flow `errorCallbackURL` because the cookie mismatch made the state appear untrusted. * **Risk:** blindly trusting the `state` payload when cookies are missing opens the door to open-redirect and CSRF-like misuse. * **Solution:** make per-flow redirects available only when the developer explicitly opts-in via a whitelist of trusted origins (`trustedErrorRedirectOrigins`). By default this list is empty, preserving the existing secure behavior. This keeps the security posture conservative (opt-in) while giving native clients (Expo / deep links) a way to receive per-flow redirects for state-mismatch errors. --- ## Implementation details (concise) ### `init-options.ts` * Added to `BetterAuthOptions`: ```ts /** * Optional whitelist of origins that are allowed as per-flow error redirect targets. * Example: ["https://app.example.com", "myapp://host"] * If omitted or empty, parsed per-flow errorCallbackURL will NOT be used on state-mismatch. */ trustedErrorRedirectOrigins?: string[]; ``` ### `init.ts` * Ensure runtime `options` always has the field defined (defaults to `[]`): ```ts options = { ...options, // existing defaults ... trustedErrorRedirectOrigins: options.trustedErrorRedirectOrigins ?? [], }; ``` ### `oauth2/state.ts` (`parseState` change) * Current behavior (before): on state-cookie mismatch the code used `c.context.options.onAPIError?.errorURL || default`. * New behavior: compute `redirectTo` as follows: 1. `defaultErrorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`` 2. If `parsedData.errorURL` exists **and** `ctx.options.trustedErrorRedirectOrigins` is non-empty, try to parse `parsedData.errorURL` (using `new URL(parsedData.errorURL, c.context.baseURL)` to support relative URLs). 3. If parsing succeeds and `url.origin` is present in `ctx.options.trustedErrorRedirectOrigins`, use `parsedData.errorURL` as the redirect target. 4. Otherwise fall back to `defaultErrorURL`. This logic ensures developers must explicitly list client/native deep-link origins in order to enable per-flow redirects in state-mismatch scenarios. --- ## Example configuration (docs / README snippet) ```ts import { betterAuth } from "better-auth"; export const auth = betterAuth({ // ...other options onAPIError: { errorURL: "https://example.com/error" }, // Opt-in whitelist for per-flow error redirect targets trustedErrorRedirectOrigins: [ "https://app.example.com", "myapp://host", ], }); ``` * For Expo/native error deep links, add the app deep link origin (e.g., `myapp://host`). * **Warning**: Only list origins you control. This is opt-in and must be populated by the developer to allow per-flow error redirects on state-mismatch. --- ## Tests added / manual validation 1. **Unit tests** (suggested): * `parseState` when: * a) `parsedData.errorURL` is present and `trustedErrorRedirectOrigins` includes its origin ⇒ redirected to `parsedData.errorURL` on state-cookie mismatch * b) `parsedData.errorURL` present but `trustedErrorRedirectOrigins` is empty ⇒ redirected to global error URL * c) `parsedData.errorURL` present but origin not in whitelist ⇒ global error URL * d) `parsedData.errorURL` is relative (e.g., `/err`) and baseURL origin is in whitelist ⇒ redirect to resolved URL * Negative tests for malformed URLs in `parsedData.errorURL` (should fall back to global error URL) 2. **Manual reproduction (QA)** * Reproduce original issue steps (from #5467): * Start OAuth flow with an `errorCallbackURL` set to `myapp://host/err` and state stored in DB. * Simulate missing/mismatched state cookie on callback. * With `trustedErrorRedirectOrigins: []` (default) — expect redirect to global backend error page. * With `trustedErrorRedirectOrigins: ["myapp://host"]` — expect redirect to `myapp://host/err?error=state_mismatch`. --- ## Docs * Add `trustedErrorRedirectOrigins` to BetterAuth options docs, explaining purpose, examples, and security warning. * Add migration note: this option is **opt-in** (default `[]`) — existing behavior unchanged. --- ## Security & backward compatibility * Default behavior unchanged (secure): if `trustedErrorRedirectOrigins` is empty or not set, **per-flow** `errorCallbackURL` will **not** be used for state-mismatch redirections. * Developers must explicitly opt-in by providing a list of origins they control. --- ## Release notes * Feature: allow per-flow OAuth `errorCallbackURL` to be used on state-cookie mismatch **if** the target origin is whitelisted via `trustedErrorRedirectOrigins`. * Security: default is secure (empty whitelist). --- ## Checklist * [ ] Type definitions updated (`init-options.ts`) * [ ] Runtime default merged (`init.ts`) * [ ] `parseState` modified to check whitelist before honoring per-flow `errorCallbackURL` (`state.ts`) * [ ] Unit tests added/updated * [ ] Docs entry added * [ ] Changelog entry added --- ## Reviewer notes * This change introduces a new opt-in surface (`trustedErrorRedirectOrigins`) — please carefully review the whitelist check in `parseState`. * Suggested reviewers: security-focused maintainers and OAuth plugin owners. --- --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-03-13 12:46:01 -05:00

GiteaMirror referenced this issue

2026-03-13 12:58:20 -05:00

[PR #6057] [MERGED] fix: genericOAuth and SSO ignore discoveryUrl for authorization #6412

GiteaMirror referenced this issue

2026-04-13 09:34:08 -05:00

[PR #6057] [MERGED] fix: genericOAuth and SSO ignore discoveryUrl for authorization #14659

GiteaMirror referenced this issue

2026-04-15 21:37:27 -05:00

[PR #6057] [MERGED] fix: genericOAuth and SSO ignore discoveryUrl for authorization #23313

GiteaMirror referenced this issue

2026-04-17 22:53:08 -05:00

[PR #6057] [MERGED] fix: genericOAuth and SSO ignore discoveryUrl for authorization #32013

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#6057

[PR #5521] PR: Fix — OAuth per-flow errorCallbackURL on state-mismatch (#5467) #6057

📋 Pull Request Information

📝 Commits (7)

📊 Changes

📄 Description

Summary

Files changed (high-level)

Motivation & security rationale

Implementation details (concise)

init-options.ts

init.ts

oauth2/state.ts (parseState change)

Example configuration (docs / README snippet)

Tests added / manual validation

Docs

Security & backward compatibility

Release notes

Checklist

Reviewer notes

`init-options.ts`

`init.ts`

`oauth2/state.ts` (`parseState` change)