From 80963c96e6294314f2d2322f4319cdec60f356af Mon Sep 17 00:00:00 2001
From: Namekuji <nmkj@mx.a-ef.org>
Date: Wed, 22 Mar 2023 10:14:00 -0400
Subject: [PATCH] fix oauth redirect_uri

---
 auth.go   | 19 ++++++++++++++-----
 server.go |  8 +-------
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/auth.go b/auth.go
index f8b0425..373a2d7 100644
--- a/auth.go
+++ b/auth.go
@@ -66,7 +66,7 @@ func loginHandler(c echo.Context) (err error) {
 			req.Redirect = "/"
 		}
 
-		appConfig, err := getAppConfig(serverURL.String(), req.Redirect)
+		appConfig, err := getAppConfig(serverURL.String())
 		if err != nil {
 			return ErrInvalidRequestFormat
 		}
@@ -89,6 +89,15 @@ func loginHandler(c echo.Context) (err error) {
 			return echo.NewHTTPError(http.StatusInternalServerError)
 		}
 
+		redirURL, err := url.Parse(mastApp.AuthURI)
+		if err != nil {
+			c.Logger().Warn(err)
+			return echo.NewHTTPError(http.StatusInternalServerError, "invalid_auth_uri")
+		}
+		q := redirURL.Query()
+		q.Add("state", req.Redirect)
+		redirURL.RawQuery = q.Encode()
+
 		return c.String(http.StatusCreated, mastApp.AuthURI)
 	}
 
@@ -96,8 +105,8 @@ func loginHandler(c echo.Context) (err error) {
 }
 
 type OAuthRequest struct {
-	Code     string `query:"code"`
-	Redirect string `query:"redir"`
+	Code  string `query:"code"`
+	State string `query:"state"`
 }
 
 // handler for GET to /app/oauth?code=****
@@ -122,7 +131,7 @@ func oauthHandler(c echo.Context) (err error) {
 	if err != nil {
 		return err
 	}
-	appConf, err := getAppConfig(data.MastodonConfig.Server, req.Redirect)
+	appConf, err := getAppConfig(data.MastodonConfig.Server)
 	if err != nil {
 		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
 	}
@@ -178,7 +187,7 @@ func oauthHandler(c echo.Context) (err error) {
 		return echo.NewHTTPError(http.StatusInternalServerError)
 	}
 
-	return c.Redirect(http.StatusFound, req.Redirect)
+	return c.Redirect(http.StatusFound, req.State)
 }
 
 func getUserTokenHandler(c echo.Context) (err error) {
diff --git a/server.go b/server.go
index cbf92ec..a7579cf 100644
--- a/server.go
+++ b/server.go
@@ -225,19 +225,13 @@ func (cv *CustomValidator) Validate(i interface{}) error {
 	return nil
 }
 
-func getAppConfig(server string, redirPath string) (*mastodon.AppConfig, error) {
-	if redirPath == "" {
-		redirPath = "/"
-	}
+func getAppConfig(server string) (*mastodon.AppConfig, error) {
 	redirectURI := "urn:ietf:wg:oauth:2.0:oob"
 	u := &url.URL{
 		Host:   mainConfig.LocalDomain,
 		Scheme: "https",
 		Path:   "/",
 	}
-	q := u.Query()
-	q.Add("redir", redirPath)
-	u.RawQuery = q.Encode()
 	u = u.JoinPath("app", "oauth")
 	redirectURI = u.String()