Fixed to pass two unit tests.

Author: Shunsuke Tsutsui

lib/state/pkcesession.js

@@ -39,13 +39,18 @@ PKCESessionStore.prototype.store = function(req, verifier, state, meta, callback
   if (!req.session) { return callback(new Error('OAuth 2.0 authentication requires session support when using state. Did you forget to use express-session middleware?')); }
 
   var key = this._key;
-  var state = {
-    handle: uid(24),
-    code_verifier: verifier
+  var handle = state;
+  if (!handle) {
+    // generate if `state` is not provided when authorization call
+    handle = uid(24);
+  }
+  var stateObj = {
+      handle: handle,
+      code_verifier: verifier
   };
   if (!req.session[key]) { req.session[key] = {}; }
-  req.session[key].state = state;
-  callback(null, state.handle);
+  req.session[key].state = stateObj;
+  callback(null, stateObj.handle);
 };
 
 /**

lib/state/session.js

@@ -35,11 +35,13 @@ function SessionStore(options) {
  * @param {Function} callback
  * @api protected
  */
-SessionStore.prototype.store = function(req, callback) {
+SessionStore.prototype.store = function(req, state, meta, callback) {
   if (!req.session) { return callback(new Error('OAuth 2.0 authentication requires session support when using state. Did you forget to use express-session middleware?')); }
 
   var key = this._key;
-  var state = uid(24);
+  if (!state) {
+    state = uid(24);
+  }
   if (!req.session[key]) { req.session[key] = {}; }
   req.session[key].state = state;
   callback(null, state);

lib/strategy.js

@@ -172,6 +172,7 @@ OAuth2Strategy.prototype.authenticate = function(req, options) {
 
       self._oauth2.getOAuthAccessToken(code, params,
         function(err, accessToken, refreshToken, params) {
+
           if (err) { return self.error(self._createOAuthError('Failed to obtain access token', err)); }
 
           self._loadUserProfile(accessToken, function(err, profile) {
@@ -249,41 +250,35 @@ OAuth2Strategy.prototype.authenticate = function(req, options) {
       params.code_challenge_method = this._pkceMethod;
     }
 
-    var state = options.state;
-    if (state) {
-      params.state = state;
-      
-      var parsed = url.parse(this._oauth2._authorizeUrl, true);
+    function stored(err, state) {
+      console.log(`stored err=${err}, state=${state}`);
+      if (err) { return self.error(err); }
+
+      if (state) { params.state = state; }
+      var parsed = url.parse(self._oauth2._authorizeUrl, true);
       utils.merge(parsed.query, params);
-      parsed.query['client_id'] = this._oauth2._clientId;
+      parsed.query['client_id'] = self._oauth2._clientId;
       delete parsed.search;
       var location = url.format(parsed);
-      this.redirect(location);
-    } else {
-      function stored(err, state) {
-        if (err) { return self.error(err); }
-
-        if (state) { params.state = state; }
-        var parsed = url.parse(self._oauth2._authorizeUrl, true);
-        utils.merge(parsed.query, params);
-        parsed.query['client_id'] = self._oauth2._clientId;
-        delete parsed.search;
-        var location = url.format(parsed);
-        self.redirect(location);
-      }
+      self.redirect(location);
+    }
 
-      try {
-        var arity = this._stateStore.store.length;
-        if (arity == 5) {
-          this._stateStore.store(req, verifier, undefined, meta, stored);
-        } else if (arity == 3) {
-          this._stateStore.store(req, meta, stored);
-        } else { // arity == 2
-          this._stateStore.store(req, stored);
+    try {
+      var arity = this._stateStore.store.length;
+      if (arity == 5) {
+        this._stateStore.store(req, verifier, options.state, meta, stored);
+      } else if (arity == 4) {
+        this._stateStore.store(req, options.state, meta, stored);
+      } else if (arity == 3) {
+        this._stateStore.store(req, meta, stored);
+      } else { // arity == 2
+        if (options.state) {
+          params.state = options.state;
         }
-      } catch (ex) {
-        return this.error(ex);
+        this._stateStore.store(req, stored);
       }
+    } catch (ex) {
+      return this.error(ex);
     }
   }
 };