#john_70817

Hi there, how can I help?

So when my frontend calls backend for my stripe link, I create a state and save it in session just like in connect-oauth-standard (https://github.com/stripe-samples/connect-standard-oauth/blob/main/server/node/server.js): app.get("/get-oauth-link", async (req, res) => {
const state = uuidv4();
req.session.state = state
const args = new URLSearchParams({
state,
client_id: process.env.STRIPE_CLIENT_ID,
scope: "read_write",
response_type: "code",
})
const url = https://connect.stripe.com/oauth/authorize?${args.toString()};
return res.send({url});
});

And then i am navigated to connect.stripe.com, which then navigates back to authorize-oauth. authorize-oauth has a different state in req.session.state than req.query.state. req.query is the one passed to stripe in query params and generated from /get-oauth-link. The state i get from req.session.state is something else and I'm not sure how it is different

Basically I'm stuck in lines 51-53 here: https://github.com/stripe-samples/connect-standard-oauth/blob/main/server/node/server.js

if(req.session.state !== state) {
return res.status(403).json({ error: 'Incorrect state parameter: ' + state });
}

Did you make any changes to the example code?

There are three parts of code:

1. Server backend /get-oauth-link- I added a redirect uri to authorize-oauth

2. Server backend /authorize-oauth -- this is the same

3. Client call to /get-oauth-link -- I opened this in a new tab, can share code if you'd like

Can you revert all the changes you made and try again?

Thanks, will try now

I reverted back and now no req.session.state is there at all

It is undefined

It is undefined in the /authorize-oauth call, not in the first call (/get-oauth-link). There the code actually creates the session.state

Did you revert all the changes you made? Can you clone the repo again and start from scratch?

Yes it is undefined

Started from scratch

i am using node section of the sample

npm start, then going to localhost:4242

And going to stripe and filling out and then getting redirected

on redirect, the req.session.state is not there

Can you put a breakpoint in https://github.com/stripe-samples/connect-standard-oauth/blob/main/server/node/server.js#L36 and make sure req.session.state was set?

can i do console.log? Not sure how to do breakpoint with chrome+nodejs

With console.log, my terminal shows: req.session.state = 0445091d-8bc1-4c9c-a1da-35c84ad636c7

I just added this line after the req.session.state = state: console.log("req.session.state = %s", req.session.state);

OK, so the session is set.

yes

I started a new load so bear with me on the different logs / state id below

But the session is set:

req.session.state = 38b8d495-811a-44e1-b0cd-2632387536db

Then I also see it in stripe url: https://connect.stripe.com/oauth/v2/authorize?state=38b8d495-811a-44e1-b0cd-2632387536db&client_id=XXXXX&scope=read_write&response_type=code

Can you compare the req.session in line 36 and 41 and see if they are the same?

line 41 is response_type: "code",

https://github.com/stripe-samples/connect-standard-oauth/blob/main/server/node/server.js#L41

And do you want me to compare req.session or req.session.state

I'm more instered in req.session

On which lines?

I'm not sure if you mean line 41 or something else

https://github.com/stripe-samples/connect-standard-oauth/blob/main/server/node/server.js#L41

Line 41 is this

Ah sorry, I mean line 51

I am calling line 36 from localhost. And line 51 has to go to a hosted server (since stripe redirects). But the hosted server also has the same code now

I'll print req.session in both

Line 36: Req.session = {"cookie":{"originalMaxAge":null,"expires":null,"httpOnly":true,"path":"/"},"state":"664feb9b-aaf2-4940-9ca6-ada0541e7a19"}

Line 51: /authorize-oauth: session = {"cookie":{"originalMaxAge":86400000,"expires":"2023-09-12T07:52:59.197Z","httpOnly":true,"path":"/"}}

Hey! Taking over for my colleague. Let me catch up.

Could you please summarize your last follow upi question? what is the issue here exactly ,

Hi, I'm having some issues with saving state when i go to stripe in my oauth flow and wondering if i could get some help

What is the issue you are facing exactly ?

You are using Oauth for Standard Connect, right ?

When I connect a stripe account and redirect to /authorize-oauth, the session.state is not there anymore. Because of this the check for session.state = req.query.state fails

Ok, so you are running that sample right ?
https://github.com/stripe-samples/connect-standard-oauth/blob/main/server/node/server.js#L51

yes

Line 36: Req.session = {"cookie":{"originalMaxAge":null,"expires":null,"httpOnly":true,"path":"/"},"state":"664feb9b-aaf2-4940-9ca6-ada0541e7a19"}
Line 51: /authorize-oauth: session = {"cookie":{"originalMaxAge":86400000,"expires":"2023-09-12T07:52:59.197Z","httpOnly":true,"path":"/"}}

I am calling line 36 from localhost. And line 51 has to go to a hosted server (since stripe redirects). But the hosted server also has the same code now

so the state matches now? and the issue is solved or what ?

no

state is 664feb9b-aaf2-4940-9ca6-ada0541e7a19 in line 36

and undefined in line 51

that is the issue currently

that means you are not sending the sate in the request query

https://github.com/stripe-samples/connect-standard-oauth/blob/main/server/node/server.js#L48

it is undefined in req.session.state

it is there in req.query.state

Line 51: /authorize-oauth: session = {"cookie":{"originalMaxAge":86400000,"expires":"2023-09-12T07:52:59.197Z","httpOnly":true,"path":"/"}}

This is for req.session.state

req.query.state is working

the above console log is req.session

Did you try to run that sample withou modifying any thing in the code ?

yes i didnt modify anything

that was the request from jack

I am calling line 36 from localhost. And line 51 has to go to a hosted server (since stripe redirects). But the hosted server also has the same code now

seems normal to me that only the state parameter in the redirect URL(req.query.state) would be set(that is the only part Stripe can control(https://stripe.com/docs/connect/oauth-reference#get-authorize), anything about a session object is your own server's logic and not really anything Stripe influences)

hmm, how would i make this work in sample?

my logic is the same as defined in line 51

not sure, as mentioned above I'd suggest running the exact unmodified example(all on the same server) and confirm if that works or not

ok i will run on same server

note that naturally this won't work if you run it on two different servers, since it relies on the in-memory session cache of the Express server

yeah that makes sense

I am trying on same server now

it seems like even when on same server i am having the issue