diff --git a/lib/auth_web/controllers/auth_controller.ex b/lib/auth_web/controllers/auth_controller.ex
index 53954b84..70e45cdd 100644
--- a/lib/auth_web/controllers/auth_controller.ex
+++ b/lib/auth_web/controllers/auth_controller.ex
@@ -48,7 +48,7 @@ defmodule AuthWeb.AuthController do
       name: person.givenName,
       template: "welcome"
     })
-    |> IO.inspect(label: "email")
+    # |> IO.inspect(label: "email")
 
     # IO.inspect(state, label: "state handler/3:53")
 
@@ -80,6 +80,13 @@ defmodule AuthWeb.AuthController do
     |> halt()
   end
 
+
+  @doc """
+  `get_client_secret_from_state/1` gets the client_id from state,
+  attempts to decode_decrypt it and then look it up in apikeys
+  if it finds the corresponding client_secret it returns the client_secret.
+  All other failure conditions return a 0 (zero) which results in a 401.
+  """
   def get_client_secret_from_state(state) do
     query = URI.decode_query(state)
     # IO.inspect(query, label: "query")
@@ -96,7 +103,7 @@ defmodule AuthWeb.AuthController do
           apikeys = Auth.Apikey.list_apikeys_for_person(person_id)
           # IO.inspect(apikeys)
           Enum.filter(apikeys, fn(k) ->
-            k.client_id == client_id # and state =~ k.url
+            k.client_id == client_id and state =~ k.url
           end) |> List.first() |> Map.get(:client_secret)
           # check for URL match!
         end
diff --git a/test/auth_web/controllers/auth_controller_test.exs b/test/auth_web/controllers/auth_controller_test.exs
index 8e6a2dd1..793595c9 100644
--- a/test/auth_web/controllers/auth_controller_test.exs
+++ b/test/auth_web/controllers/auth_controller_test.exs
@@ -4,7 +4,7 @@ defmodule AuthWeb.AuthControllerTest do
 
   test "github_handler/2 github auth callback", %{conn: conn} do
     conn = get(conn, "/auth/github/callback",
-      %{code: "123", state: "http://localhost/" <>
+      %{code: "123", state: "http://localhost:4000/" <>
       "&client_id=" <> AuthPlug.Token.client_id() })
     # assert html_response(conn, 200) =~ "test@gmail.com"
     assert html_response(conn, 302) =~ "http://localhost"
@@ -12,7 +12,7 @@ defmodule AuthWeb.AuthControllerTest do
 
   test "google_handler/2 for google auth callback", %{conn: conn} do
     conn = get(conn, "/auth/google/callback",
-      %{code: "234", state: "http://localhost/" <>
+      %{code: "234", state: "http://localhost:4000/" <>
       "&client_id=" <> AuthPlug.Token.client_id() })
 
     # assert html_response(conn, 200) =~ "nelson@gmail.com"
@@ -20,10 +20,17 @@ defmodule AuthWeb.AuthControllerTest do
   end
 
   test "google_handler/2 show welcome page", %{conn: conn} do
+    # IO.inspect(AuthPlug.Helpers.get_baseurl_from_conn(conn), label: "baseurl")
+    # Google Auth Mock makes the state https://www.example.com
+    # so we need to create a new API_KEY with that url:
+    {:ok, key} = %{"name" => "example key", "url" => "https://www.example.com"}
+      |> AuthWeb.ApikeyController.make_apikey(1)
+      |> Auth.Apikey.create_apikey()
+
     conn = get(conn, "/auth/google/callback",
       %{code: "234",
       state: AuthPlug.Helpers.get_baseurl_from_conn(conn) <>
-      "&client_id=" <> AuthPlug.Token.client_id() })
+      "&client_id=" <> key.client_id })
 
     # assert html_response(conn, 200) =~ "nelson@gmail.com"
     assert html_response(conn, 302) =~ "redirected"