fix(oauth): correctly remove code_verifier cookie when used (#2325)

Co-authored-by: Pol Bonastre <pbonastre@plainconcepts.com>
nextauthjs · Jul 8, 2021 · f546e55 · f546e55 · vercel · Jul 8, 2021
1 parent ac5b4db
commit f546e55
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/server/lib/oauth/pkce-handler.js b/src/server/lib/oauth/pkce-handler.js
@@ -36,7 +36,11 @@ export async function handleCallback (req, res) {
       pkceLength: PKCE_LENGTH,
       method: PKCE_CODE_CHALLENGE_METHOD
     })
-    cookie.set(res, cookies.pkceCodeVerifier.name, null, { maxAge: 0 }) // remove PKCE after it has been used
+    // remove PKCE after it has been used
+    cookie.set(res, cookies.pkceCodeVerifier.name, "", { 
+      ...cookies.pkceCodeVerifier.options,
+      maxAge: 0 
+    })
   } catch (error) {
     logger.error('CALLBACK_OAUTH_ERROR', error)
     return res.redirect(`${baseUrl}${basePath}/error?error=OAuthCallback`)