Fix incorrect state extraction from query string (#197)

* Remove qss usage * add qss as dev dependency * rename query params * don't encode undefined values
auth0 · Sep 3, 2019 · f61fb31 · f61fb31
1 parent 6f0e220
commit f61fb31
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 17 deletions.
diff --git a/__tests__/utils.test.ts b/__tests__/utils.test.ts
@@ -52,7 +52,12 @@ describe('utils', () => {
   describe('createQueryParams', () => {
     it('creates query string from object', () => {
       expect(
-        createQueryParams({ id: 1, value: 'test', url: 'http://example.com' })
+        createQueryParams({
+          id: 1,
+          value: 'test',
+          url: 'http://example.com',
+          nope: undefined
+        })
       ).toBe('id=1&value=test&url=http%3A%2F%2Fexample.com');
     });
   });

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -34,7 +34,6 @@
     "@auth0/component-cdn-uploader": "auth0/component-cdn-uploader#v2.2.2",
     "@types/cypress": "^1.1.3",
     "@types/jest": "^24.0.15",
-    "@types/qs": "^6.5.3",
     "@typescript-eslint/eslint-plugin-tslint": "^2.0.0",
     "@typescript-eslint/parser": "^2.0.0",
     "cli-table": "^0.3.1",
@@ -50,6 +49,7 @@
     "pem": "^1.14.2",
     "prettier": "^1.18.2",
     "pretty-quick": "^1.11.1",
+    "qss": "^2.0.3",
     "rimraf": "^3.0.0",
     "rollup": "^1.17.0",
     "rollup-plugin-commonjs": "^10.0.1",
@@ -73,7 +73,6 @@
     "es-cookie": "^1.2.0",
     "fast-text-encoding": "^1.0.0",
     "promise-polyfill": "^8.1.3",
-    "qss": "^2.0.3",
     "unfetch": "^4.1.0"
   },
   "files": [

diff --git a/src/utils.ts b/src/utils.ts
@@ -1,4 +1,3 @@
-import * as qs from 'qss';
 import fetch from 'unfetch';
 
 import { DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS } from './constants';
@@ -13,11 +12,17 @@ export const getUniqueScopes = (...scopes: string[]) => {
     .trim();
 };
 
-export const parseQueryResult = (hash: string) => {
-  var hashed = <any>qs.decode(hash);
+export const parseQueryResult = (queryString: string) => {
+  let queryParams = queryString.split('&');
+  let parsedQuery: any = {};
+  queryParams.forEach(qp => {
+    let [key, val] = qp.split('=');
+    parsedQuery[key] = decodeURIComponent(val);
+  });
+
   return <AuthenticationResult>{
-    ...hashed,
-    expires_in: parseInt(hashed.expires_in)
+    ...parsedQuery,
+    expires_in: parseInt(parsedQuery.expires_in)
   };
 };
 
@@ -96,7 +101,12 @@ export const createRandomString = () => {
 export const encodeState = (state: string) => btoa(state);
 export const decodeState = (state: string) => atob(state);
 
-export const createQueryParams = (params: any) => qs.encode(params);
+export const createQueryParams = (params: any) => {
+  return Object.keys(params)
+    .filter(k => typeof params[k] !== 'undefined')
+    .map(k => encodeURIComponent(k) + '=' + encodeURIComponent(params[k]))
+    .join('&');
+};
 
 export const sha256 = (s: string) =>
   window.crypto.subtle.digest({ name: 'SHA-256' }, new TextEncoder().encode(s));