From bf09096740fa951e8f88d227108c283829e99150 Mon Sep 17 00:00:00 2001
From: Erin <git@ewin.moe>
Date: Sun, 12 Nov 2023 13:02:54 -0500
Subject: [PATCH] use redirect locations from state

---
 .../auth/[provider]/callback/+page.server.ts  | 50 +++++++++----------
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/src/routes/auth/[provider]/callback/+page.server.ts b/src/routes/auth/[provider]/callback/+page.server.ts
index 4b95d77..28c1067 100644
--- a/src/routes/auth/[provider]/callback/+page.server.ts
+++ b/src/routes/auth/[provider]/callback/+page.server.ts
@@ -18,30 +18,6 @@ export const load: PageServerLoad = async event => {
 		throw redirect(302, '/');
 	}
 
-	// check for errors from the provider
-	// TODO: this is still technically provider-specific and should be split out
-	// into the provider implementations since different providers can call back
-	// with different parameters
-	const errorCode = event.url.searchParams.get('error');
-	const errorDescription = event.url.searchParams.get('error_description');
-
-	// if the user cancelled the login, redirect home gracefully
-	if (errorCode === 'access_denied') {
-		throw redirect(302, '/');
-	}
-
-	// if another error was encountered, return the error information only
-	if (errorCode) {
-		return {
-			error: {
-				code: errorCode,
-				description: errorDescription ?? '',
-			},
-		};
-	}
-
-	const providerImpl = authProviderImplementations[provider];
-
 	// retrieve the state we stored for this session and compare against the
 	// state we received from the provider
 	const dataSource = await getDataSource();
@@ -58,13 +34,37 @@ export const load: PageServerLoad = async event => {
 	if (!storedState || !receivedState || storedState.state !== receivedState) {
 		return {
 			error: {
-				code: 'consumer_state_mismatch',
+				code: 'state_mismatch',
 				description:
 					`Expected state ${storedState?.state}, received ${receivedState}`,
 			},
 		};
 	}
 
+	// check for errors from the provider
+	// TODO: this is still technically provider-specific and should be split out
+	// into the provider implementations since different providers can call back
+	// with different parameters
+	const errorCode = event.url.searchParams.get('error');
+	const errorDescription = event.url.searchParams.get('error_description');
+
+	// if the user cancelled the login, redirect home gracefully
+	if (errorCode === 'access_denied') {
+		throw redirect(302, storedState.prev);
+	}
+
+	// if another error was encountered, return the error information only
+	if (errorCode) {
+		return {
+			error: {
+				code: errorCode,
+				description: errorDescription ?? '',
+			},
+		};
+	}
+
+	const providerImpl = authProviderImplementations[provider];
+
 	const code = event.url.searchParams.get('code');
 	if (!code) {
 		return {