fix: always send a nonce in the auth request

mongodb-js · Nov 14, 2024 · 5a10268 · 5a10268
1 parent 3e77a74
commit 5a10268
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/plugin.ts b/src/plugin.ts
@@ -657,6 +657,8 @@ export class MongoDBOIDCPluginImpl implements MongoDBOIDCPlugin {
     let client!: BaseClient;
     let actualRedirectURI!: string;
 
+    const nonce = generators.nonce();
+
     try {
       await withAbortCheck(signal, async ({ signalCheck, signalPromise }) => {
         // We mark the operations that we want to allow to result in a fallback
@@ -680,6 +682,7 @@ export class MongoDBOIDCPluginImpl implements MongoDBOIDCPlugin {
           code_challenge: codeChallenge,
           code_challenge_method: 'S256',
           state: oidcStateParam,
+          nonce,
         });
         validateSecureHTTPUrl(authCodeFlowUrl, 'authCodeFlowUrl');
         const { localUrl, onAccessed: onLocalUrlAccessed } =
@@ -760,6 +763,7 @@ export class MongoDBOIDCPluginImpl implements MongoDBOIDCPlugin {
     const tokenSet = await client.callback(actualRedirectURI, params, {
       code_verifier: codeVerifier,
       state: oidcStateParam,
+      nonce,
     });
     this.updateStateWithTokenSet(state, tokenSet);
   }