fix: remove log

chore: app dependencies
feat: add version info
2022-03-09 17:24:53 +05:30 · 2022-03-09 17:21:55 +05:30 · 2022-03-09 11:53:34 +05:30 · 2022-03-09 10:10:39 +05:30 · 2022-03-09 07:10:07 +05:30 · 2022-03-09 06:41:38 +05:30
39 changed files with 903 additions and 300 deletions
--- a/app/package-lock.json
+++ b/app/package-lock.json
@@ -9,7 +9,7 @@
 			"version": "1.0.0",
 			"license": "ISC",
 			"dependencies": {
-				"@authorizerdev/authorizer-react": "0.8.0",
+				"@authorizerdev/authorizer-react": "latest",
 				"@types/react": "^17.0.15",
 				"@types/react-dom": "^17.0.9",
 				"esbuild": "^0.12.17",
@@ -24,9 +24,9 @@
 			}
 		},
 		"node_modules/@authorizerdev/authorizer-js": {
-			"version": "0.3.0",
+			"version": "0.4.0-beta.3",
-			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-js/-/authorizer-js-0.3.0.tgz",
+			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-js/-/authorizer-js-0.4.0-beta.3.tgz",
-			"integrity": "sha512-KCE5Dw5MUnEgstBUayBriDQAOjqbxU7ixC00rTHAE6aD6TxJkeSls0vCTXpvt4iiKhFK6q9BhHwa/5NwWYpDBQ==",
+			"integrity": "sha512-OGZc6I6cnpi/WkSotkjVIc3LEzl8pFeiohr8+Db9xWd75/oTfOZqWRuIHTnTc1FC+6Sv2EjTJ9Aa6lrloWG+NQ==",
 			"dependencies": {
 				"node-fetch": "^2.6.1"
 			},
@@ -35,11 +35,11 @@
 			}
 		},
 		"node_modules/@authorizerdev/authorizer-react": {
-			"version": "0.8.0",
+			"version": "0.9.0-beta.7",
-			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-react/-/authorizer-react-0.8.0.tgz",
+			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-react/-/authorizer-react-0.9.0-beta.7.tgz",
-			"integrity": "sha512-178XWGEPsovy3f6Yi2Llh6kFmjdf3ZrkIsqIAKEGPhZawV/1sA6v+4FZp7ReuCxsCelckFFQUnPR8P7od+2HeA==",
+			"integrity": "sha512-hCGsVionKMZNk+uD0CLtMIkUzhQqpHbVntko3rY+O7ouOrTrikY/WQVPbo1bqX1cu/6/cHE4RVU3cZ7V5xnxVg==",
 			"dependencies": {
-				"@authorizerdev/authorizer-js": "^0.3.0",
+				"@authorizerdev/authorizer-js": "^0.4.0-beta.3",
 				"final-form": "^4.20.2",
 				"react-final-form": "^6.5.3",
 				"styled-components": "^5.3.0"
@@ -829,19 +829,19 @@
 	},
 	"dependencies": {
 		"@authorizerdev/authorizer-js": {
-			"version": "0.3.0",
+			"version": "0.4.0-beta.3",
-			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-js/-/authorizer-js-0.3.0.tgz",
+			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-js/-/authorizer-js-0.4.0-beta.3.tgz",
-			"integrity": "sha512-KCE5Dw5MUnEgstBUayBriDQAOjqbxU7ixC00rTHAE6aD6TxJkeSls0vCTXpvt4iiKhFK6q9BhHwa/5NwWYpDBQ==",
+			"integrity": "sha512-OGZc6I6cnpi/WkSotkjVIc3LEzl8pFeiohr8+Db9xWd75/oTfOZqWRuIHTnTc1FC+6Sv2EjTJ9Aa6lrloWG+NQ==",
 			"requires": {
 				"node-fetch": "^2.6.1"
 			}
 		},
 		"@authorizerdev/authorizer-react": {
-			"version": "0.8.0",
+			"version": "0.9.0-beta.7",
-			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-react/-/authorizer-react-0.8.0.tgz",
+			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-react/-/authorizer-react-0.9.0-beta.7.tgz",
-			"integrity": "sha512-178XWGEPsovy3f6Yi2Llh6kFmjdf3ZrkIsqIAKEGPhZawV/1sA6v+4FZp7ReuCxsCelckFFQUnPR8P7od+2HeA==",
+			"integrity": "sha512-hCGsVionKMZNk+uD0CLtMIkUzhQqpHbVntko3rY+O7ouOrTrikY/WQVPbo1bqX1cu/6/cHE4RVU3cZ7V5xnxVg==",
 			"requires": {
-				"@authorizerdev/authorizer-js": "^0.3.0",
+				"@authorizerdev/authorizer-js": "^0.4.0-beta.3",
 				"final-form": "^4.20.2",
 				"react-final-form": "^6.5.3",
 				"styled-components": "^5.3.0"
--- a/app/src/App.tsx
+++ b/app/src/App.tsx
@@ -2,13 +2,33 @@ import React from 'react';
 import { BrowserRouter } from 'react-router-dom';
 import { AuthorizerProvider } from '@authorizerdev/authorizer-react';
 import Root from './Root';
 import { createRandomString } from './utils/common';
 export default function App() {
-	// @ts-ignore
+	const searchParams = new URLSearchParams(window.location.search);
-	const globalState: Record<string, string> = window['__authorizer__'];
+	const state = searchParams.get('state') || createRandomString();
-	if (globalState.state) {
+	const scope = searchParams.get('scope')
-		sessionStorage.setItem('authorizer_state', globalState.state);
+		? searchParams.get('scope')?.toString().split(' ')
 		: `openid profile email`;
 	const urlProps: Record<string, any> = {
 		state,
 		scope,
 	};
 	const redirectURL =
 		searchParams.get('redirect_uri') || searchParams.get('redirectURL');
 	if (redirectURL) {
 		urlProps.redirectURL = redirectURL;
 	} else {
 		urlProps.redirectURL = window.location.origin;
 	}
 	const globalState: Record<string, string> = {
 		// @ts-ignore
 		...window['__authorizer__'],
 		...urlProps,
 	};
 	return (
 		<div
 			style={{
@@ -33,15 +53,7 @@ export default function App() {
 				/>
 				<h1>{globalState.organizationName}</h1>
 			</div>
-			<div
+			<div className="container">
 				style={{
 					width: 400,
 					margin: `10px auto`,
 					border: `1px solid #D1D5DB`,
 					padding: `25px 20px`,
 					borderRadius: 5,
 				}}
 			>
 				<BrowserRouter>
 					<AuthorizerProvider
 						config={{
@@ -49,7 +61,7 @@ export default function App() {
 							redirectURL: globalState.redirectURL,
 						}}
 					>
-						<Root />
+						<Root globalState={globalState} />
 					</AuthorizerProvider>
 				</BrowserRouter>
 			</div>
--- a/app/src/Root.tsx
+++ b/app/src/Root.tsx
@@ -6,19 +6,30 @@ const ResetPassword = lazy(() => import('./pages/rest-password'));
 const Login = lazy(() => import('./pages/login'));
 const Dashboard = lazy(() => import('./pages/dashboard'));
-export default function Root() {
+export default function Root({
 	globalState,
 }: {
 	globalState: Record<string, string>;
 }) {
 	const { token, loading, config } = useAuthorizer();
 	useEffect(() => {
 		if (token) {
-			const state = sessionStorage.getItem('authorizer_state')?.trim();
+			let redirectURL = config.redirectURL || '/app';
-			const url = new URL(config.redirectURL || '/app');
+			let params = `access_token=${token.access_token}&id_token=${token.id_token}&expires_in=${token.expires_in}&state=${globalState.state}`;
 			if (token.refresh_token) {
 				params += `&refresh_token=${token.refresh_token}`;
 			}
 			const url = new URL(redirectURL);
 			if (redirectURL.includes('?')) {
 				redirectURL = `${redirectURL}&${params}`;
 			} else {
 				redirectURL = `${redirectURL}?${params}`;
 			}
 			if (url.origin !== window.location.origin) {
 				console.log({ x: `${config.redirectURL || '/app'}?state=${state}` });
 				sessionStorage.removeItem('authorizer_state');
-				window.location.replace(
+				window.location.replace(redirectURL);
 					`${config.redirectURL || '/app'}?state=${state}`
 				);
 			}
 		}
 		return () => {};
--- a/app/src/index.css
+++ b/app/src/index.css
@@ -1,5 +1,5 @@
 body {
-	margin: 0;
+	margin: 10;
 	font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen',
 		'Ubuntu', 'Cantarell', 'Fira Sans', 'Droid Sans', 'Helvetica Neue',
 		sans-serif;
@@ -14,3 +14,17 @@ body {
 *:after {
 	box-sizing: inherit;
 }
 .container {
 	box-sizing: content-box;
 	border: 1px solid #d1d5db;
 	padding: 25px 20px;
 	border-radius: 5px;
 }
@media only screen and (min-width: 768px) {
 	.container {
 		width: 400px;
 		margin: 0 auto;
 	}
 }
--- a/app/src/utils/common.ts
+++ b/app/src/utils/common.ts
@@ -0,0 +1,22 @@
 export const getCrypto = () => {
 	//ie 11.x uses msCrypto
 	return (window.crypto || (window as any).msCrypto) as Crypto;
 };
 export const createRandomString = () => {
 	const charset =
 		'0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.';
 	let random = '';
 	const randomValues = Array.from(
 		getCrypto().getRandomValues(new Uint8Array(43))
 	);
 	randomValues.forEach((v) => (random += charset[v % charset.length]));
 	return random;
 };
 export const createQueryParams = (params: any) => {
 	return Object.keys(params)
 		.filter((k) => typeof params[k] !== 'undefined')
 		.map((k) => encodeURIComponent(k) + '=' + encodeURIComponent(params[k]))
 		.join('&');
 };
--- a/dashboard/src/components/Menu.tsx
+++ b/dashboard/src/components/Menu.tsx
@@ -29,10 +29,11 @@ import {
 } from 'react-icons/fi';
 import { IconType } from 'react-icons';
 import { ReactText } from 'react';
-import { useMutation } from 'urql';
+import { useMutation, useQuery } from 'urql';
 import { NavLink, useNavigate, useLocation } from 'react-router-dom';
 import { useAuthContext } from '../contexts/AuthContext';
 import { AdminLogout } from '../graphql/mutation';
 import { MetaQuery } from '../graphql/queries';
 interface LinkItemProps {
 	name: string;
@@ -51,6 +52,7 @@ interface SidebarProps extends BoxProps {
 export const Sidebar = ({ onClose, ...rest }: SidebarProps) => {
 	const { pathname } = useLocation();
 	const [{ fetching, data }] = useQuery({ query: MetaQuery });
 	return (
 		<Box
 			transition="3s ease"
@@ -98,6 +100,19 @@ export const Sidebar = ({ onClose, ...rest }: SidebarProps) => {
 			>
 				<NavItem icon={FiCode}>API Playground</NavItem>
 			</Link>
 			{data?.meta?.version && (
 				<Text
 					color="gray.600"
 					fontSize="sm"
 					textAlign="center"
 					position="absolute"
 					bottom="5"
 					left="7"
 				>
 					Current Version: {data.meta.version}
 				</Text>
 			)}
 		</Box>
 	);
 };
--- a/dashboard/src/graphql/queries/index.ts
+++ b/dashboard/src/graphql/queries/index.ts
@@ -1,3 +1,12 @@
 export const MetaQuery = `
  query MetaQuery {
    meta {
      version
      client_id
    }
  }
 `;
 export const AdminSessionQuery = `
  query {
    _admin_session{
--- a/dashboard/src/layouts/AuthLayout.tsx
+++ b/dashboard/src/layouts/AuthLayout.tsx
@@ -1,8 +1,10 @@
-import { Box, Center, Flex, Image, Text } from '@chakra-ui/react';
+import { Box, Flex, Image, Text, Spinner } from '@chakra-ui/react';
 import React from 'react';
-import { LOGO_URL } from '../constants';
+import { useQuery } from 'urql';
 import { MetaQuery } from '../graphql/queries';
 export function AuthLayout({ children }: { children: React.ReactNode }) {
 	const [{ fetching, data }] = useQuery({ query: MetaQuery });
 	return (
 		<Flex
 			flexWrap="wrap"
@@ -23,9 +25,18 @@ export function AuthLayout({ children }: { children: React.ReactNode }) {
 				</Text>
 			</Flex>
 			{fetching ? (
 				<Spinner />
 			) : (
 				<>
 					<Box p="6" m="5" rounded="5" bg="white" w="500px" shadow="xl">
 						{children}
 					</Box>
 					<Text color="gray.600" fontSize="sm">
 						Current Version: {data.meta.version}
 					</Text>
 				</>
 			)}
 		</Flex>
 	);
 }
--- a/dashboard/src/pages/Auth.tsx
+++ b/dashboard/src/pages/Auth.tsx
@@ -6,7 +6,6 @@ import {
 	useToast,
 	VStack,
 	Text,
 	Divider,
 } from '@chakra-ui/react';
 import React, { useEffect } from 'react';
 import { useMutation } from 'urql';
--- a/server/db/models/verification_requests.go
+++ b/server/db/models/verification_requests.go
@@ -12,7 +12,8 @@ type VerificationRequest struct {
 	CreatedAt   int64  `json:"created_at" bson:"created_at"`
 	UpdatedAt   int64  `json:"updated_at" bson:"updated_at"`
 	Email       string `gorm:"uniqueIndex:idx_email_identifier" json:"email" bson:"email"`
-	Nonce      string `gorm:"type:char(36)" json:"nonce" bson:"nonce"`
+	Nonce       string `gorm:"type:text" json:"nonce" bson:"nonce"`
 	RedirectURI string `gorm:"type:text" json:"redirect_uri" bson:"redirect_uri"`
 }
 func (v *VerificationRequest) AsAPIVerificationRequest() *model.VerificationRequest {
@@ -24,5 +25,7 @@ func (v *VerificationRequest) AsAPIVerificationRequest() *model.VerificationRequ
 		CreatedAt:   &v.CreatedAt,
 		UpdatedAt:   &v.UpdatedAt,
 		Email:       &v.Email,
 		Nonce:       &v.Nonce,
 		RedirectURI: &v.RedirectURI,
 	}
 }
--- a/server/db/providers/sql/verification_requests.go
+++ b/server/db/providers/sql/verification_requests.go
@@ -21,7 +21,7 @@ func (p *provider) AddVerificationRequest(verificationRequest models.Verificatio
 	verificationRequest.UpdatedAt = time.Now().Unix()
 	result := p.db.Clauses(clause.OnConflict{
 		Columns:   []clause.Column{{Name: "email"}, {Name: "identifier"}},
-		DoUpdates: clause.AssignmentColumns([]string{"token", "expires_at"}),
+		DoUpdates: clause.AssignmentColumns([]string{"token", "expires_at", "nonce", "redirect_uri"}),
 	}).Create(&verificationRequest)
 	if result.Error != nil {
--- a/server/email/verification_email.go
+++ b/server/email/verification_email.go
@@ -1,6 +1,8 @@
 package email
 import (
 	"log"
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/envstore"
 )
@@ -103,5 +105,9 @@ func SendVerificationMail(toEmail, token, hostname string) error {
 	message = addEmailTemplate(message, data, "verify_email.tmpl")
 	// bodyMessage := sender.WriteHTMLEmail(Receiver, Subject, message)
-	return SendMail(Receiver, Subject, message)
+	err := SendMail(Receiver, Subject, message)
 	if err != nil {
 		log.Println("=> error sending email:", err)
 	}
 	return err
 }
--- a/server/graph/generated/generated.go
+++ b/server/graph/generated/generated.go
@@ -119,6 +119,7 @@ type ComplexityRoot struct {
 		MagicLinkLogin    func(childComplexity int, params model.MagicLinkLoginInput) int
 		ResendVerifyEmail func(childComplexity int, params model.ResendVerifyEmailInput) int
 		ResetPassword     func(childComplexity int, params model.ResetPasswordInput) int
 		Revoke            func(childComplexity int, params model.OAuthRevokeInput) int
 		Signup            func(childComplexity int, params model.SignUpInput) int
 		UpdateEnv         func(childComplexity int, params model.UpdateEnvInput) int
 		UpdateProfile     func(childComplexity int, params model.UpdateProfileInput) int
@@ -178,6 +179,8 @@ type ComplexityRoot struct {
 		Expires     func(childComplexity int) int
 		ID          func(childComplexity int) int
 		Identifier  func(childComplexity int) int
 		Nonce       func(childComplexity int) int
 		RedirectURI func(childComplexity int) int
 		Token       func(childComplexity int) int
 		UpdatedAt   func(childComplexity int) int
 	}
@@ -198,6 +201,7 @@ type MutationResolver interface {
 	ResendVerifyEmail(ctx context.Context, params model.ResendVerifyEmailInput) (*model.Response, error)
 	ForgotPassword(ctx context.Context, params model.ForgotPasswordInput) (*model.Response, error)
 	ResetPassword(ctx context.Context, params model.ResetPasswordInput) (*model.Response, error)
 	Revoke(ctx context.Context, params model.OAuthRevokeInput) (*model.Response, error)
 	DeleteUser(ctx context.Context, params model.DeleteUserInput) (*model.Response, error)
 	UpdateUser(ctx context.Context, params model.UpdateUserInput) (*model.User, error)
 	AdminSignup(ctx context.Context, params model.AdminSignupInput) (*model.Response, error)
@@ -711,6 +715,18 @@ func (e *executableSchema) Complexity(typeName, field string, childComplexity in
 		return e.complexity.Mutation.ResetPassword(childComplexity, args["params"].(model.ResetPasswordInput)), true
 	case "Mutation.revoke":
 		if e.complexity.Mutation.Revoke == nil {
 			break
 		}
 		args, err := ec.field_Mutation_revoke_args(context.TODO(), rawArgs)
 		if err != nil {
 			return 0, false
 		}
 		return e.complexity.Mutation.Revoke(childComplexity, args["params"].(model.OAuthRevokeInput)), true
 	case "Mutation.signup":
 		if e.complexity.Mutation.Signup == nil {
 			break
@@ -1038,6 +1054,20 @@ func (e *executableSchema) Complexity(typeName, field string, childComplexity in
 		return e.complexity.VerificationRequest.Identifier(childComplexity), true
 	case "VerificationRequest.nonce":
 		if e.complexity.VerificationRequest.Nonce == nil {
 			break
 		}
 		return e.complexity.VerificationRequest.Nonce(childComplexity), true
 	case "VerificationRequest.redirect_uri":
 		if e.complexity.VerificationRequest.RedirectURI == nil {
 			break
 		}
 		return e.complexity.VerificationRequest.RedirectURI(childComplexity), true
 	case "VerificationRequest.token":
 		if e.complexity.VerificationRequest.Token == nil {
 			break
@@ -1189,6 +1219,8 @@ type VerificationRequest {
 	expires: Int64
 	created_at: Int64
 	updated_at: Int64
 	nonce: String
 	redirect_uri: String
 }
 type VerificationRequests {
@@ -1311,6 +1343,7 @@ input SignUpInput {
 	password: String!
 	confirm_password: String!
 	roles: [String!]
 	scope: [String!]
 }
 input LoginInput {
@@ -1361,6 +1394,8 @@ input UpdateUserInput {
 input ForgotPasswordInput {
 	email: String!
 	state: String
 	redirect_uri: String
 }
 input ResetPasswordInput {
@@ -1377,6 +1412,8 @@ input MagicLinkLoginInput {
 	email: String!
 	roles: [String!]
 	scope: [String!]
 	state: String
 	redirect_uri: String
 }
 input SessionQueryInput {
@@ -1393,6 +1430,10 @@ input PaginatedInput {
 	pagination: PaginationInput
 }
 input OAuthRevokeInput {
 	refresh_token: String!
 }
 type Mutation {
 	signup(params: SignUpInput!): AuthResponse!
 	login(params: LoginInput!): AuthResponse!
@@ -1403,6 +1444,7 @@ type Mutation {
 	resend_verify_email(params: ResendVerifyEmailInput!): Response!
 	forgot_password(params: ForgotPasswordInput!): Response!
 	reset_password(params: ResetPasswordInput!): Response!
 	revoke(params: OAuthRevokeInput!): Response!
 	# admin only apis
 	_delete_user(params: DeleteUserInput!): Response!
 	_update_user(params: UpdateUserInput!): User!
@@ -1580,6 +1622,21 @@ func (ec *executionContext) field_Mutation_reset_password_args(ctx context.Conte
 	return args, nil
 }
 func (ec *executionContext) field_Mutation_revoke_args(ctx context.Context, rawArgs map[string]interface{}) (map[string]interface{}, error) {
 	var err error
 	args := map[string]interface{}{}
 	var arg0 model.OAuthRevokeInput
 	if tmp, ok := rawArgs["params"]; ok {
 		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 		arg0, err = ec.unmarshalNOAuthRevokeInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐOAuthRevokeInput(ctx, tmp)
 		if err != nil {
 			return nil, err
 		}
 	}
 	args["params"] = arg0
 	return args, nil
 }
 func (ec *executionContext) field_Mutation_signup_args(ctx context.Context, rawArgs map[string]interface{}) (map[string]interface{}, error) {
 	var err error
 	args := map[string]interface{}{}
@@ -3838,6 +3895,48 @@ func (ec *executionContext) _Mutation_reset_password(ctx context.Context, field
 	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 func (ec *executionContext) _Mutation_revoke(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
 	defer func() {
 		if r := recover(); r != nil {
 			ec.Error(ctx, ec.Recover(ctx, r))
 			ret = graphql.Null
 		}
 	}()
 	fc := &graphql.FieldContext{
 		Object:     "Mutation",
 		Field:      field,
 		Args:       nil,
 		IsMethod:   true,
 		IsResolver: true,
 	}
 	ctx = graphql.WithFieldContext(ctx, fc)
 	rawArgs := field.ArgumentMap(ec.Variables)
 	args, err := ec.field_Mutation_revoke_args(ctx, rawArgs)
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	fc.Args = args
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
 		ctx = rctx // use context from middleware stack in children
 		return ec.resolvers.Mutation().Revoke(rctx, args["params"].(model.OAuthRevokeInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
 		if !graphql.HasFieldError(ctx, fc) {
 			ec.Errorf(ctx, "must not be null")
 		}
 		return graphql.Null
 	}
 	res := resTmp.(*model.Response)
 	fc.Result = res
 	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 func (ec *executionContext) _Mutation__delete_user(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
 	defer func() {
 		if r := recover(); r != nil {
@@ -5451,6 +5550,70 @@ func (ec *executionContext) _VerificationRequest_updated_at(ctx context.Context,
 	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 func (ec *executionContext) _VerificationRequest_nonce(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
 	defer func() {
 		if r := recover(); r != nil {
 			ec.Error(ctx, ec.Recover(ctx, r))
 			ret = graphql.Null
 		}
 	}()
 	fc := &graphql.FieldContext{
 		Object:     "VerificationRequest",
 		Field:      field,
 		Args:       nil,
 		IsMethod:   false,
 		IsResolver: false,
 	}
 	ctx = graphql.WithFieldContext(ctx, fc)
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
 		ctx = rctx // use context from middleware stack in children
 		return obj.Nonce, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
 		return graphql.Null
 	}
 	res := resTmp.(*string)
 	fc.Result = res
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 func (ec *executionContext) _VerificationRequest_redirect_uri(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
 	defer func() {
 		if r := recover(); r != nil {
 			ec.Error(ctx, ec.Recover(ctx, r))
 			ret = graphql.Null
 		}
 	}()
 	fc := &graphql.FieldContext{
 		Object:     "VerificationRequest",
 		Field:      field,
 		Args:       nil,
 		IsMethod:   false,
 		IsResolver: false,
 	}
 	ctx = graphql.WithFieldContext(ctx, fc)
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
 		ctx = rctx // use context from middleware stack in children
 		return obj.RedirectURI, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
 		return graphql.Null
 	}
 	res := resTmp.(*string)
 	fc.Result = res
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 func (ec *executionContext) _VerificationRequests_pagination(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequests) (ret graphql.Marshaler) {
 	defer func() {
 		if r := recover(); r != nil {
@@ -6729,6 +6892,22 @@ func (ec *executionContext) unmarshalInputForgotPasswordInput(ctx context.Contex
 			if err != nil {
 				return it, err
 			}
 		case "state":
 			var err error
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
 			it.State, err = ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
 		case "redirect_uri":
 			var err error
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("redirect_uri"))
 			it.RedirectURI, err = ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
 		}
 	}
@@ -6815,6 +6994,45 @@ func (ec *executionContext) unmarshalInputMagicLinkLoginInput(ctx context.Contex
 			if err != nil {
 				return it, err
 			}
 		case "state":
 			var err error
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
 			it.State, err = ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
 		case "redirect_uri":
 			var err error
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("redirect_uri"))
 			it.RedirectURI, err = ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
 		}
 	}
 	return it, nil
 }
 func (ec *executionContext) unmarshalInputOAuthRevokeInput(ctx context.Context, obj interface{}) (model.OAuthRevokeInput, error) {
 	var it model.OAuthRevokeInput
 	asMap := map[string]interface{}{}
 	for k, v := range obj.(map[string]interface{}) {
 		asMap[k] = v
 	}
 	for k, v := range asMap {
 		switch k {
 		case "refresh_token":
 			var err error
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("refresh_token"))
 			it.RefreshToken, err = ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
 		}
 	}
@@ -7081,6 +7299,14 @@ func (ec *executionContext) unmarshalInputSignUpInput(ctx context.Context, obj i
 			if err != nil {
 				return it, err
 			}
 		case "scope":
 			var err error
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope"))
 			it.Scope, err = ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
 		}
 	}
@@ -7921,6 +8147,11 @@ func (ec *executionContext) _Mutation(ctx context.Context, sel ast.SelectionSet)
 			if out.Values[i] == graphql.Null {
 				invalids++
 			}
 		case "revoke":
 			out.Values[i] = ec._Mutation_revoke(ctx, field)
 			if out.Values[i] == graphql.Null {
 				invalids++
 			}
 		case "_delete_user":
 			out.Values[i] = ec._Mutation__delete_user(ctx, field)
 			if out.Values[i] == graphql.Null {
@@ -8290,6 +8521,10 @@ func (ec *executionContext) _VerificationRequest(ctx context.Context, sel ast.Se
 			out.Values[i] = ec._VerificationRequest_created_at(ctx, field, obj)
 		case "updated_at":
 			out.Values[i] = ec._VerificationRequest_updated_at(ctx, field, obj)
 		case "nonce":
 			out.Values[i] = ec._VerificationRequest_nonce(ctx, field, obj)
 		case "redirect_uri":
 			out.Values[i] = ec._VerificationRequest_redirect_uri(ctx, field, obj)
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
 		}
@@ -8700,6 +8935,11 @@ func (ec *executionContext) marshalNMeta2ᚖgithubᚗcomᚋauthorizerdevᚋautho
 	return ec._Meta(ctx, sel, v)
 }
 func (ec *executionContext) unmarshalNOAuthRevokeInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐOAuthRevokeInput(ctx context.Context, v interface{}) (model.OAuthRevokeInput, error) {
 	res, err := ec.unmarshalInputOAuthRevokeInput(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
 }
 func (ec *executionContext) marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐPagination(ctx context.Context, sel ast.SelectionSet, v *model.Pagination) graphql.Marshaler {
 	if v == nil {
 		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
--- a/server/graph/model/models_gen.go
+++ b/server/graph/model/models_gen.go
@@ -70,6 +70,8 @@ type Error struct {
 type ForgotPasswordInput struct {
 	Email       string  `json:"email"`
 	State       *string `json:"state"`
 	RedirectURI *string `json:"redirect_uri"`
 }
 type LoginInput struct {
@@ -83,6 +85,8 @@ type MagicLinkLoginInput struct {
 	Email       string   `json:"email"`
 	Roles       []string `json:"roles"`
 	Scope       []string `json:"scope"`
 	State       *string  `json:"state"`
 	RedirectURI *string  `json:"redirect_uri"`
 }
 type Meta struct {
@@ -96,6 +100,10 @@ type Meta struct {
 	IsMagicLinkLoginEnabled      bool   `json:"is_magic_link_login_enabled"`
 }
 type OAuthRevokeInput struct {
 	RefreshToken string `json:"refresh_token"`
 }
 type PaginatedInput struct {
 	Pagination *PaginationInput `json:"pagination"`
 }
@@ -145,6 +153,7 @@ type SignUpInput struct {
 	Password        string   `json:"password"`
 	ConfirmPassword string   `json:"confirm_password"`
 	Roles           []string `json:"roles"`
 	Scope           []string `json:"scope"`
 }
 type UpdateEnvInput struct {
@@ -246,6 +255,8 @@ type VerificationRequest struct {
 	Expires     *int64  `json:"expires"`
 	CreatedAt   *int64  `json:"created_at"`
 	UpdatedAt   *int64  `json:"updated_at"`
 	Nonce       *string `json:"nonce"`
 	RedirectURI *string `json:"redirect_uri"`
 }
 type VerificationRequests struct {
--- a/server/graph/schema.graphqls
+++ b/server/graph/schema.graphqls
@@ -57,6 +57,8 @@ type VerificationRequest {
 	expires: Int64
 	created_at: Int64
 	updated_at: Int64
 	nonce: String
 	redirect_uri: String
 }
 type VerificationRequests {
@@ -179,6 +181,7 @@ input SignUpInput {
 	password: String!
 	confirm_password: String!
 	roles: [String!]
 	scope: [String!]
 }
 input LoginInput {
@@ -229,6 +232,8 @@ input UpdateUserInput {
 input ForgotPasswordInput {
 	email: String!
 	state: String
 	redirect_uri: String
 }
 input ResetPasswordInput {
@@ -245,6 +250,8 @@ input MagicLinkLoginInput {
 	email: String!
 	roles: [String!]
 	scope: [String!]
 	state: String
 	redirect_uri: String
 }
 input SessionQueryInput {
@@ -261,6 +268,10 @@ input PaginatedInput {
 	pagination: PaginationInput
 }
 input OAuthRevokeInput {
 	refresh_token: String!
 }
 type Mutation {
 	signup(params: SignUpInput!): AuthResponse!
 	login(params: LoginInput!): AuthResponse!
@@ -271,6 +282,7 @@ type Mutation {
 	resend_verify_email(params: ResendVerifyEmailInput!): Response!
 	forgot_password(params: ForgotPasswordInput!): Response!
 	reset_password(params: ResetPasswordInput!): Response!
 	revoke(params: OAuthRevokeInput!): Response!
 	# admin only apis
 	_delete_user(params: DeleteUserInput!): Response!
 	_update_user(params: UpdateUserInput!): User!
--- a/server/graph/schema.resolvers.go
+++ b/server/graph/schema.resolvers.go
@@ -47,6 +47,10 @@ func (r *mutationResolver) ResetPassword(ctx context.Context, params model.Reset
 	return resolvers.ResetPasswordResolver(ctx, params)
 }
 func (r *mutationResolver) Revoke(ctx context.Context, params model.OAuthRevokeInput) (*model.Response, error) {
 	return resolvers.RevokeResolver(ctx, params)
 }
 func (r *mutationResolver) DeleteUser(ctx context.Context, params model.DeleteUserInput) (*model.Response, error) {
 	return resolvers.DeleteUserResolver(ctx, params)
 }
--- a/server/handlers/app.go
+++ b/server/handlers/app.go
@@ -1,13 +1,11 @@
 package handlers
 import (
 	"encoding/json"
 	"log"
 	"net/http"
 	"strings"
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/gin-gonic/gin"
@@ -18,7 +16,6 @@ import (
 type State struct {
 	AuthorizerURL string `json:"authorizerURL"`
 	RedirectURL   string `json:"redirectURL"`
 	State         string `json:"state"`
 }
 // AppHandler is the handler for the /app route
@@ -30,44 +27,25 @@ func AppHandler() gin.HandlerFunc {
 			return
 		}
-		state := c.Query("state")
+		redirect_uri := strings.TrimSpace(c.Query("redirect_uri"))
 		state := strings.TrimSpace(c.Query("state"))
 		scopeString := strings.TrimSpace(c.Query("scope"))
-		var stateObj State
+		var scope []string
-
+		if scopeString == "" {
-		if state == "" {
+			scope = []string{"openid", "profile", "email"}
 			stateObj.AuthorizerURL = hostname
 			stateObj.RedirectURL = hostname + "/app"
 		} else {
-			decodedState, err := crypto.DecryptB64(state)
+			scope = strings.Split(scopeString, " ")
 			if err != nil {
 				c.JSON(400, gin.H{"error": "[unable to decode state] invalid state"})
 				return
 		}
-			err = json.Unmarshal([]byte(decodedState), &stateObj)
+		if redirect_uri == "" {
-			if err != nil {
+			redirect_uri = hostname + "/app"
-				c.JSON(400, gin.H{"error": "[unable to parse state] invalid state"})
+		} else {
 				return
 			}
 			stateObj.AuthorizerURL = strings.TrimSuffix(stateObj.AuthorizerURL, "/")
 			stateObj.RedirectURL = strings.TrimSuffix(stateObj.RedirectURL, "/")
 			// validate redirect url with allowed origins
-			if !utils.IsValidOrigin(stateObj.RedirectURL) {
+			if !utils.IsValidOrigin(redirect_uri) {
 				c.JSON(400, gin.H{"error": "invalid redirect url"})
 				return
 			}
 			if stateObj.AuthorizerURL == "" {
 				c.JSON(400, gin.H{"error": "invalid authorizer url"})
 				return
 			}
 			// validate host and domain of authorizer url
 			if strings.TrimSuffix(stateObj.AuthorizerURL, "/") != hostname {
 				c.JSON(400, gin.H{"error": "invalid host url"})
 				return
 			}
 		}
 		// debug the request state
@@ -78,10 +56,11 @@ func AppHandler() gin.HandlerFunc {
 			}
 		}
 		c.HTML(http.StatusOK, "app.tmpl", gin.H{
-			"data": map[string]string{
+			"data": map[string]interface{}{
-				"authorizerURL":    stateObj.AuthorizerURL,
+				"authorizerURL":    hostname,
-				"redirectURL":      stateObj.RedirectURL,
+				"redirectURL":      redirect_uri,
-				"state":            stateObj.State,
+				"scope":            scope,
 				"state":            state,
 				"organizationName": envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyOrganizationName),
 				"organizationLogo": envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyOrganizationLogo),
 			},
--- a/server/handlers/authorize.go
+++ b/server/handlers/authorize.go
@@ -2,16 +2,15 @@ package handlers
 import (
 	"net/http"
 	"strconv"
 	"strings"
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/sessionstore"
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )
@@ -36,6 +35,13 @@ func AuthorizeHandler() gin.HandlerFunc {
 		template := "authorize.tmpl"
 		responseMode := strings.TrimSpace(gc.Query("response_mode"))
 		var scope []string
 		if scopeString == "" {
 			scope = []string{"openid", "profile", "email"}
 		} else {
 			scope = strings.Split(scopeString, " ")
 		}
 		if responseMode == "" {
 			responseMode = "query"
 		}
@@ -50,9 +56,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 		isQuery := responseMode == "query"
-		hostname := utils.GetHost(gc)
+		loginURL := "/app?state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI
 		loginRedirectState := crypto.EncryptB64(`{"authorizerURL":"` + hostname + `","redirectURL":"` + redirectURI + `", "state":"` + state + `"}`)
 		loginURL := "/app?state=" + loginRedirectState
 		if clientID == "" {
 			if isQuery {
@@ -109,13 +113,6 @@ func AuthorizeHandler() gin.HandlerFunc {
 			responseType = "token"
 		}
 		var scope []string
 		if scopeString == "" {
 			scope = []string{"openid", "profile", "email"}
 		} else {
 			scope = strings.Split(scopeString, " ")
 		}
 		isResponseTypeCode := responseType == "code"
 		isResponseTypeToken := responseType == "token"
@@ -279,8 +276,11 @@ func AuthorizeHandler() gin.HandlerFunc {
 			sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
 			sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
 			cookie.SetSession(gc, authToken.FingerPrintHash)
 			expiresIn := int64(1800)
 			// used of query mode
 			params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token
 			res := map[string]interface{}{
 				"access_token": authToken.AccessToken.Token,
 				"id_token":     authToken.IDToken.Token,
@@ -292,9 +292,17 @@ func AuthorizeHandler() gin.HandlerFunc {
 			if authToken.RefreshToken != nil {
 				res["refresh_token"] = authToken.RefreshToken.Token
-				sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
+				params += "&refresh_token=" + authToken.RefreshToken.Token
 				sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
 			}
 			if isQuery {
 				if strings.Contains(redirectURI, "?") {
 					gc.Redirect(http.StatusFound, redirectURI+"&"+params)
 				} else {
 					gc.Redirect(http.StatusFound, redirectURI+"?"+params)
 				}
 			} else {
 				gc.HTML(http.StatusOK, template, gin.H{
 					"target_origin": redirectURI,
 					"authorization_response": map[string]interface{}{
@@ -302,6 +310,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 						"response": res,
 					},
 				})
 			}
 			return
 		}
--- a/server/handlers/logout.go
+++ b/server/handlers/logout.go
@@ -2,6 +2,7 @@ package handlers
 import (
 	"net/http"
 	"strings"
 	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/crypto"
@@ -9,8 +10,10 @@ import (
 	"github.com/gin-gonic/gin"
 )
 // Handler to logout user
 func LogoutHandler() gin.HandlerFunc {
 	return func(gc *gin.Context) {
 		redirectURL := strings.TrimSpace(gc.Query("redirect_uri"))
 		// get fingerprint hash
 		fingerprintHash, err := cookie.GetSession(gc)
 		if err != nil {
@@ -33,8 +36,12 @@ func LogoutHandler() gin.HandlerFunc {
 		sessionstore.RemoveState(fingerPrint)
 		cookie.DeleteSession(gc)
 		if redirectURL != "" {
 			gc.Redirect(http.StatusFound, redirectURL)
 		} else {
 			gc.JSON(http.StatusOK, gin.H{
 				"message": "Logged out successfully",
 			})
 		}
 	}
 }
--- a/server/handlers/oauth_callback.go
+++ b/server/handlers/oauth_callback.go
@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"log"
 	"net/http"
 	"strconv"
 	"strings"
 	"time"
@@ -21,7 +22,6 @@ import (
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"golang.org/x/oauth2"
 )
@@ -39,14 +39,15 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 		// contains random token, redirect url, role
 		sessionSplit := strings.Split(state, "___")
-		// TODO validate redirect url
+		if len(sessionSplit) < 3 {
 		if len(sessionSplit) < 2 {
 			c.JSON(400, gin.H{"error": "invalid redirect url"})
 			return
 		}
-		inputRoles := strings.Split(sessionSplit[2], ",")
+		stateValue := sessionSplit[0]
 		redirectURL := sessionSplit[1]
 		inputRoles := strings.Split(sessionSplit[2], ",")
 		scopes := strings.Split(sessionSplit[3], ",")
 		var err error
 		user := models.User{}
@@ -145,17 +146,29 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			}
 		}
-		// TODO use query param
+		authToken, err := token.CreateAuthToken(c, user, inputRoles, scopes)
 		scope := []string{"openid", "email", "profile"}
 		nonce := uuid.New().String()
 		_, newSessionToken, err := token.CreateSessionToken(user, nonce, inputRoles, scope)
 		if err != nil {
 			c.JSON(500, gin.H{"error": err.Error()})
 		}
 		expiresIn := int64(1800)
 		params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + stateValue + "&id_token=" + authToken.IDToken.Token
 		cookie.SetSession(c, authToken.FingerPrintHash)
 		sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
 		sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
 		if authToken.RefreshToken != nil {
 			params = params + `&refresh_token=` + authToken.RefreshToken.Token
 			sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
 		}
 		sessionstore.SetState(newSessionToken, nonce+"@"+user.ID)
 		cookie.SetSession(c, newSessionToken)
 		go utils.SaveSessionInDB(c, user.ID)
 		if strings.Contains(redirectURL, "?") {
 			redirectURL = redirectURL + "&" + params
 		} else {
 			redirectURL = redirectURL + "?" + params
 		}
 		c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 	}
 }
--- a/server/handlers/oauth_login.go
+++ b/server/handlers/oauth_login.go
@@ -10,23 +10,38 @@ import (
 	"github.com/authorizerdev/authorizer/server/sessionstore"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )
 // OAuthLoginHandler set host in the oauth state that is useful for redirecting to oauth_callback
 func OAuthLoginHandler() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		hostname := utils.GetHost(c)
-		redirectURL := c.Query("redirectURL")
+		redirectURI := strings.TrimSpace(c.Query("redirectURL"))
-		roles := c.Query("roles")
+		roles := strings.TrimSpace(c.Query("roles"))
 		state := strings.TrimSpace(c.Query("state"))
 		scopeString := strings.TrimSpace(c.Query("scope"))
-		if redirectURL == "" {
+		if redirectURI == "" {
 			c.JSON(400, gin.H{
-				"error": "invalid redirect url",
+				"error": "invalid redirect uri",
 			})
 			return
 		}
 		if state == "" {
 			c.JSON(400, gin.H{
 				"error": "invalid state",
 			})
 			return
 		}
 		var scope []string
 		if scopeString == "" {
 			scope = []string{"openid", "profile", "email"}
 		} else {
 			scope = strings.Split(scopeString, " ")
 		}
 		if roles != "" {
 			// validate role
 			rolesSplit := strings.Split(roles, ",")
@@ -43,8 +58,7 @@ func OAuthLoginHandler() gin.HandlerFunc {
 			roles = strings.Join(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles), ",")
 		}
-		uuid := uuid.New()
+		oauthStateString := state + "___" + redirectURI + "___" + roles + "___" + strings.Join(scope, ",")
 		oauthStateString := uuid.String() + "___" + redirectURL + "___" + roles
 		provider := c.Param("oauth_provider")
 		isProviderConfigured := true
--- a/server/handlers/revoke.go
+++ b/server/handlers/revoke.go
@@ -0,0 +1,50 @@
 package handlers
 import (
 	"net/http"
 	"strings"
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/sessionstore"
 	"github.com/gin-gonic/gin"
 )
 // Revoke handler to revoke refresh token
 func RevokeHandler() gin.HandlerFunc {
 	return func(gc *gin.Context) {
 		var reqBody map[string]string
 		if err := gc.BindJSON(&reqBody); err != nil {
 			gc.JSON(http.StatusBadRequest, gin.H{
 				"error":             "error_binding_json",
 				"error_description": err.Error(),
 			})
 			return
 		}
 		// get fingerprint hash
 		refreshToken := strings.TrimSpace(reqBody["refresh_token"])
 		clientID := strings.TrimSpace(reqBody["client_id"])
 		if clientID == "" {
 			gc.JSON(http.StatusBadRequest, gin.H{
 				"error":             "client_id_required",
 				"error_description": "The client id is required",
 			})
 			return
 		}
 		if clientID != envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyClientID) {
 			gc.JSON(http.StatusBadRequest, gin.H{
 				"error":             "invalid_client_id",
 				"error_description": "The client id is invalid",
 			})
 			return
 		}
 		sessionstore.RemoveState(refreshToken)
 		gc.JSON(http.StatusOK, gin.H{
 			"message": "Token revoked successfully",
 		})
 	}
 }
--- a/server/handlers/token.go
+++ b/server/handlers/token.go
@@ -15,6 +15,8 @@ import (
 	"github.com/gin-gonic/gin"
 )
 // TokenHandler to handle /oauth/token requests
 // grant type required
 func TokenHandler() gin.HandlerFunc {
 	return func(gc *gin.Context) {
 		var reqBody map[string]string
@@ -29,6 +31,22 @@ func TokenHandler() gin.HandlerFunc {
 		codeVerifier := strings.TrimSpace(reqBody["code_verifier"])
 		code := strings.TrimSpace(reqBody["code"])
 		clientID := strings.TrimSpace(reqBody["client_id"])
 		grantType := strings.TrimSpace(reqBody["grant_type"])
 		refreshToken := strings.TrimSpace(reqBody["refresh_token"])
 		if grantType == "" {
 			grantType = "authorization_code"
 		}
 		isRefreshTokenGrant := grantType == "refresh_token"
 		isAuthorizationCodeGrant := grantType == "authorization_code"
 		if !isRefreshTokenGrant && !isAuthorizationCodeGrant {
 			gc.JSON(http.StatusBadRequest, gin.H{
 				"error":             "invalid_grant_type",
 				"error_description": "grant_type is invalid",
 			})
 		}
 		if clientID == "" {
 			gc.JSON(http.StatusBadRequest, gin.H{
@@ -46,6 +64,10 @@ func TokenHandler() gin.HandlerFunc {
 			return
 		}
 		var userID string
 		var roles, scope []string
 		if isAuthorizationCodeGrant {
 			if codeVerifier == "" {
 				gc.JSON(http.StatusBadRequest, gin.H{
 					"error":             "invalid_code_verifier",
@@ -88,6 +110,8 @@ func TokenHandler() gin.HandlerFunc {
 				return
 			}
 			// rollover the session for security
 			sessionstore.RemoveState(sessionDataSplit[1])
 			// validate session
 			claims, err := token.ValidateBrowserSession(gc, sessionDataSplit[1])
 			if err != nil {
@@ -97,7 +121,38 @@ func TokenHandler() gin.HandlerFunc {
 				})
 				return
 			}
-		userID := claims.Subject
+			userID = claims.Subject
 			roles = claims.Roles
 			scope = claims.Scope
 		} else {
 			// validate refresh token
 			if refreshToken == "" {
 				gc.JSON(http.StatusBadRequest, gin.H{
 					"error":             "invalid_refresh_token",
 					"error_description": "The refresh token is invalid",
 				})
 			}
 			claims, err := token.ValidateRefreshToken(gc, refreshToken)
 			if err != nil {
 				gc.JSON(http.StatusUnauthorized, gin.H{
 					"error":             "unauthorized",
 					"error_description": err.Error(),
 				})
 			}
 			userID = claims["sub"].(string)
 			rolesInterface := claims["roles"].([]interface{})
 			scopeInterface := claims["scope"].([]interface{})
 			for _, v := range rolesInterface {
 				roles = append(roles, v.(string))
 			}
 			for _, v := range scopeInterface {
 				scope = append(scope, v.(string))
 			}
 			// remove older refresh token and rotate it for security
 			sessionstore.RemoveState(refreshToken)
 		}
 		user, err := db.Provider.GetUserByID(userID)
 		if err != nil {
 			gc.JSON(http.StatusUnauthorized, gin.H{
@@ -106,9 +161,8 @@ func TokenHandler() gin.HandlerFunc {
 			})
 			return
 		}
-		// rollover the session for security
+
-		sessionstore.RemoveState(sessionDataSplit[1])
+		authToken, err := token.CreateAuthToken(gc, user, roles, scope)
 		authToken, err := token.CreateAuthToken(gc, user, claims.Roles, claims.Scope)
 		if err != nil {
 			gc.JSON(http.StatusUnauthorized, gin.H{
 				"error":             "unauthorized",
@@ -124,13 +178,14 @@ func TokenHandler() gin.HandlerFunc {
 		res := map[string]interface{}{
 			"access_token": authToken.AccessToken.Token,
 			"id_token":     authToken.IDToken.Token,
-			"scope":        claims.Scope,
+			"scope":        scope,
 			"roles":        roles,
 			"expires_in":   expiresIn,
 		}
 		if authToken.RefreshToken != nil {
 			res["refresh_token"] = authToken.RefreshToken.Token
-			sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
+			sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
 		}
 		gc.JSON(http.StatusOK, res)
--- a/server/handlers/verify_email.go
+++ b/server/handlers/verify_email.go
@@ -2,6 +2,7 @@ package handlers
 import (
 	"net/http"
 	"strconv"
 	"strings"
 	"time"
@@ -11,7 +12,6 @@ import (
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )
 // VerifyEmailHandler handles the verify email route.
@@ -19,7 +19,7 @@ import (
 func VerifyEmailHandler() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		errorRes := gin.H{
-			"error": "invalid token",
+			"error": "invalid_token",
 		}
 		tokenInQuery := c.Query("token")
 		if tokenInQuery == "" {
@@ -29,30 +29,24 @@ func VerifyEmailHandler() gin.HandlerFunc {
 		verificationRequest, err := db.Provider.GetVerificationRequestByToken(tokenInQuery)
 		if err != nil {
 			errorRes["error_description"] = err.Error()
 			c.JSON(400, errorRes)
 			return
 		}
 		// verify if token exists in db
 		hostname := utils.GetHost(c)
-		encryptedNonce, err := utils.EncryptNonce(verificationRequest.Nonce)
+		claim, err := token.ParseJWTToken(tokenInQuery, hostname, verificationRequest.Nonce, verificationRequest.Email)
 		if err != nil {
 			c.JSON(400, gin.H{
 				"error": err.Error(),
 			})
 			return
 		}
 		claim, err := token.ParseJWTToken(tokenInQuery, hostname, encryptedNonce, verificationRequest.Email)
 		if err != nil {
 			errorRes["error_description"] = err.Error()
 			c.JSON(400, errorRes)
 			return
 		}
 		user, err := db.Provider.GetUserByEmail(claim["sub"].(string))
 		if err != nil {
-			c.JSON(400, gin.H{
+			errorRes["error_description"] = err.Error()
-				"message": err.Error(),
+			c.JSON(400, errorRes)
 			})
 			return
 		}
@@ -65,21 +59,53 @@ func VerifyEmailHandler() gin.HandlerFunc {
 		// delete from verification table
 		db.Provider.DeleteVerificationRequest(verificationRequest)
-		roles := strings.Split(user.Roles, ",")
+		state := strings.TrimSpace(c.Query("state"))
-		scope := []string{"openid", "email", "profile"}
+		redirectURL := strings.TrimSpace(c.Query("redirect_uri"))
-		nonce := uuid.New().String()
+		rolesString := strings.TrimSpace(c.Query("roles"))
-		_, authToken, err := token.CreateSessionToken(user, nonce, roles, scope)
+		var roles []string
 		if rolesString == "" {
 			roles = strings.Split(user.Roles, ",")
 		} else {
 			roles = strings.Split(rolesString, ",")
 		}
 		scopeString := strings.TrimSpace(c.Query("scope"))
 		var scope []string
 		if scopeString == "" {
 			scope = []string{"openid", "email", "profile"}
 		} else {
 			scope = strings.Split(scopeString, " ")
 		}
 		authToken, err := token.CreateAuthToken(c, user, roles, scope)
 		if err != nil {
-			c.JSON(400, gin.H{
+			errorRes["error_description"] = err.Error()
-				"message": err.Error(),
+			c.JSON(500, errorRes)
 			})
 			return
 		}
-		sessionstore.SetState(authToken, nonce+"@"+user.ID)
+		expiresIn := int64(1800)
-		cookie.SetSession(c, authToken)
+		params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token
 		cookie.SetSession(c, authToken.FingerPrintHash)
 		sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
 		sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
 		if authToken.RefreshToken != nil {
 			params = params + `&refresh_token=${refresh_token}`
 			sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
 		}
 		if redirectURL == "" {
 			redirectURL = claim["redirect_uri"].(string)
 		}
 		if strings.Contains(redirectURL, "?") {
 			redirectURL = redirectURL + "&" + params
 		} else {
 			redirectURL = redirectURL + "?" + params
 		}
 		go utils.SaveSessionInDB(c, user.ID)
-		c.Redirect(http.StatusTemporaryRedirect, claim["redirect_url"].(string))
+		c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 	}
 }
--- a/server/resolvers/forgot_password.go
+++ b/server/resolvers/forgot_password.go
@@ -39,11 +39,16 @@ func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInpu
 	}
 	hostname := utils.GetHost(gc)
-	nonce, nonceHash, err := utils.GenerateNonce()
+	_, nonceHash, err := utils.GenerateNonce()
 	if err != nil {
 		return res, err
 	}
-	verificationToken, err := token.CreateVerificationToken(params.Email, constants.VerificationTypeForgotPassword, hostname, nonceHash)
+	redirectURL := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL)
 	if params.RedirectURI != nil {
 		redirectURL = *params.RedirectURI
 	}
 	verificationToken, err := token.CreateVerificationToken(params.Email, constants.VerificationTypeForgotPassword, hostname, nonceHash, redirectURL)
 	if err != nil {
 		log.Println(`error generating token`, err)
 	}
@@ -52,7 +57,8 @@ func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInpu
 		Identifier:  constants.VerificationTypeForgotPassword,
 		ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
 		Email:       params.Email,
-		Nonce:      nonce,
+		Nonce:       nonceHash,
 		RedirectURI: redirectURL,
 	})
 	// exec it as go routin so that we can reduce the api latency
--- a/server/resolvers/login.go
+++ b/server/resolvers/login.go
@@ -69,8 +69,6 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 		return res, err
 	}
 	cookie.SetSession(gc, authToken.FingerPrintHash)
 	expiresIn := int64(1800)
 	res = &model.AuthResponse{
 		Message:     `Logged in successfully`,
@@ -80,12 +78,13 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 		User:        user.AsAPIUser(),
 	}
 	cookie.SetSession(gc, authToken.FingerPrintHash)
 	sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
 	sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
 	if authToken.RefreshToken != nil {
 		res.RefreshToken = &authToken.RefreshToken.Token
-		sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
+		sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
 	}
 	go utils.SaveSessionInDB(gc, user.ID)
--- a/server/resolvers/magic_link_login.go
+++ b/server/resolvers/magic_link_login.go
@@ -68,6 +68,9 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 		// 		Need to modify roles in this case
 		// find the unassigned roles
 		if len(params.Roles) <= 0 {
 			inputRoles = envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles)
 		}
 		existingRoles := strings.Split(existingUser.Roles, ",")
 		unasignedRoles := []string{}
 		for _, ir := range inputRoles {
@@ -109,24 +112,46 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 	hostname := utils.GetHost(gc)
 	if !envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification) {
 		// insert verification request
-		nonce, nonceHash, err := utils.GenerateNonce()
+		_, nonceHash, err := utils.GenerateNonce()
 		if err != nil {
 			return res, err
 		}
 		redirectURLParams := "&roles=" + strings.Join(inputRoles, ",")
 		if params.State != nil {
 			redirectURLParams = redirectURLParams + "&state=" + *params.State
 		}
 		if params.Scope != nil && len(params.Scope) > 0 {
 			redirectURLParams = redirectURLParams + "&scope=" + strings.Join(params.Scope, " ")
 		}
 		redirectURL := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL)
 		if params.RedirectURI != nil {
 			redirectURL = *params.RedirectURI
 		}
 		if strings.Contains(redirectURL, "?") {
 			redirectURL = redirectURL + "&" + redirectURLParams
 		} else {
 			redirectURL = redirectURL + "?" + redirectURLParams
 		}
 		verificationType := constants.VerificationTypeMagicLinkLogin
-		verificationToken, err := token.CreateVerificationToken(params.Email, verificationType, hostname, nonceHash)
+		verificationToken, err := token.CreateVerificationToken(params.Email, verificationType, hostname, nonceHash, redirectURL)
 		if err != nil {
 			log.Println(`error generating token`, err)
 		}
-		db.Provider.AddVerificationRequest(models.VerificationRequest{
+		_, err = db.Provider.AddVerificationRequest(models.VerificationRequest{
 			Token:       verificationToken,
 			Identifier:  verificationType,
 			ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
 			Email:       params.Email,
-			Nonce:      nonce,
+			Nonce:       nonceHash,
 			RedirectURI: redirectURL,
 		})
 		if err != nil {
 			return res, err
 		}
-		// exec it as go routin so that we can reduce the api latency
+		// exec it as go routing so that we can reduce the api latency
 		go email.SendVerificationMail(params.Email, verificationToken, hostname)
 	}
--- a/server/resolvers/resend_verify_email.go
+++ b/server/resolvers/resend_verify_email.go
@@ -44,11 +44,12 @@ func ResendVerifyEmailResolver(ctx context.Context, params model.ResendVerifyEma
 	}
 	hostname := utils.GetHost(gc)
-	nonce, nonceHash, err := utils.GenerateNonce()
+	_, nonceHash, err := utils.GenerateNonce()
 	if err != nil {
 		return res, err
 	}
-	verificationToken, err := token.CreateVerificationToken(params.Email, params.Identifier, hostname, nonceHash)
+
 	verificationToken, err := token.CreateVerificationToken(params.Email, params.Identifier, hostname, nonceHash, verificationRequest.RedirectURI)
 	if err != nil {
 		log.Println(`error generating token`, err)
 	}
@@ -57,7 +58,8 @@ func ResendVerifyEmailResolver(ctx context.Context, params model.ResendVerifyEma
 		Identifier:  params.Identifier,
 		ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
 		Email:       params.Email,
-		Nonce:      nonce,
+		Nonce:       nonceHash,
 		RedirectURI: verificationRequest.RedirectURI,
 	})
 	// exec it as go routin so that we can reduce the api latency
--- a/server/resolvers/reset_password.go
+++ b/server/resolvers/reset_password.go
@@ -37,11 +37,7 @@ func ResetPasswordResolver(ctx context.Context, params model.ResetPasswordInput)
 	// verify if token exists in db
 	hostname := utils.GetHost(gc)
-	encryptedNonce, err := utils.EncryptNonce(verificationRequest.Nonce)
+	claim, err := token.ParseJWTToken(params.Token, hostname, verificationRequest.Nonce, verificationRequest.Email)
 	if err != nil {
 		return res, err
 	}
 	claim, err := token.ParseJWTToken(params.Token, hostname, encryptedNonce, verificationRequest.Email)
 	if err != nil {
 		return res, fmt.Errorf(`invalid token`)
 	}
--- a/server/resolvers/revoke.go
+++ b/server/resolvers/revoke.go
@@ -0,0 +1,16 @@
 package resolvers
 import (
 	"context"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/sessionstore"
 )
 // RevokeResolver resolver to revoke refresh token
 func RevokeResolver(ctx context.Context, params model.OAuthRevokeInput) (*model.Response, error) {
 	sessionstore.RemoveState(params.RefreshToken)
 	return &model.Response{
 		Message: "Token revoked",
 	}, nil
 }
--- a/server/resolvers/session.go
+++ b/server/resolvers/session.go
@@ -80,7 +80,7 @@ func SessionResolver(ctx context.Context, params *model.SessionQueryInput) (*mod
 	if authToken.RefreshToken != nil {
 		res.RefreshToken = &authToken.RefreshToken.Token
-		sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
+		sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
 	}
 	return res, nil
--- a/server/resolvers/signup.go
+++ b/server/resolvers/signup.go
@@ -123,12 +123,13 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 	hostname := utils.GetHost(gc)
 	if !envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification) {
 		// insert verification request
-		nonce, nonceHash, err := utils.GenerateNonce()
+		_, nonceHash, err := utils.GenerateNonce()
 		if err != nil {
 			return res, err
 		}
 		verificationType := constants.VerificationTypeBasicAuthSignup
-		verificationToken, err := token.CreateVerificationToken(params.Email, verificationType, hostname, nonceHash)
+		redirectURL := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL)
 		verificationToken, err := token.CreateVerificationToken(params.Email, verificationType, hostname, nonceHash, redirectURL)
 		if err != nil {
 			return res, err
 		}
@@ -137,7 +138,8 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 			Identifier:  verificationType,
 			ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
 			Email:       params.Email,
-			Nonce:      nonce,
+			Nonce:       nonceHash,
 			RedirectURI: redirectURL,
 		})
 		// exec it as go routin so that we can reduce the api latency
@@ -149,6 +151,9 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 		}
 	} else {
 		scope := []string{"openid", "email", "profile"}
 		if params.Scope != nil && len(scope) > 0 {
 			scope = params.Scope
 		}
 		authToken, err := token.CreateAuthToken(gc, user, roles, scope)
 		if err != nil {
--- a/server/resolvers/update_profile.go
+++ b/server/resolvers/update_profile.go
@@ -129,12 +129,13 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 			user.EmailVerifiedAt = nil
 			hasEmailChanged = true
 			// insert verification request
-			nonce, nonceHash, err := utils.GenerateNonce()
+			_, nonceHash, err := utils.GenerateNonce()
 			if err != nil {
 				return res, err
 			}
 			verificationType := constants.VerificationTypeUpdateEmail
-			verificationToken, err := token.CreateVerificationToken(newEmail, verificationType, hostname, nonceHash)
+			redirectURL := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL)
 			verificationToken, err := token.CreateVerificationToken(newEmail, verificationType, hostname, nonceHash, redirectURL)
 			if err != nil {
 				log.Println(`error generating token`, err)
 			}
@@ -143,7 +144,8 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 				Identifier:  verificationType,
 				ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
 				Email:       newEmail,
-				Nonce:      nonce,
+				Nonce:       nonceHash,
 				RedirectURI: redirectURL,
 			})
 			// exec it as go routin so that we can reduce the api latency
--- a/server/resolvers/update_user.go
+++ b/server/resolvers/update_user.go
@@ -101,12 +101,13 @@ func UpdateUserResolver(ctx context.Context, params model.UpdateUserInput) (*mod
 		user.Email = newEmail
 		user.EmailVerifiedAt = nil
 		// insert verification request
-		nonce, nonceHash, err := utils.GenerateNonce()
+		_, nonceHash, err := utils.GenerateNonce()
 		if err != nil {
 			return res, err
 		}
 		verificationType := constants.VerificationTypeUpdateEmail
-		verificationToken, err := token.CreateVerificationToken(newEmail, verificationType, hostname, nonceHash)
+		redirectURL := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL)
 		verificationToken, err := token.CreateVerificationToken(newEmail, verificationType, hostname, nonceHash, redirectURL)
 		if err != nil {
 			log.Println(`error generating token`, err)
 		}
@@ -115,7 +116,8 @@ func UpdateUserResolver(ctx context.Context, params model.UpdateUserInput) (*mod
 			Identifier:  verificationType,
 			ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
 			Email:       newEmail,
-			Nonce:      nonce,
+			Nonce:       nonceHash,
 			RedirectURI: redirectURL,
 		})
 		// exec it as go routin so that we can reduce the api latency
--- a/server/resolvers/verify_email.go
+++ b/server/resolvers/verify_email.go
@@ -29,11 +29,7 @@ func VerifyEmailResolver(ctx context.Context, params model.VerifyEmailInput) (*m
 	// verify if token exists in db
 	hostname := utils.GetHost(gc)
-	encryptedNonce, err := utils.EncryptNonce(verificationRequest.Nonce)
+	claim, err := token.ParseJWTToken(params.Token, hostname, verificationRequest.Nonce, verificationRequest.Email)
 	if err != nil {
 		return res, err
 	}
 	claim, err := token.ParseJWTToken(params.Token, hostname, encryptedNonce, verificationRequest.Email)
 	if err != nil {
 		return res, fmt.Errorf(`invalid token: %s`, err.Error())
 	}
--- a/server/routes/routes.go
+++ b/server/routes/routes.go
@@ -27,6 +27,7 @@ func InitRouter() *gin.Engine {
 	router.GET("/userinfo", handlers.UserInfoHandler())
 	router.GET("/logout", handlers.LogoutHandler())
 	router.POST("/oauth/token", handlers.TokenHandler())
 	router.POST("/oauth/revoke", handlers.RevokeHandler())
 	router.LoadHTMLGlob("templates/*")
 	// login page app related routes.
--- a/server/token/auth_token.go
+++ b/server/token/auth_token.go
@@ -91,7 +91,7 @@ func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string) (
 	}
 	if utils.StringSliceContains(scope, "offline_access") {
-		refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles, hostname, nonce)
+		refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles, scope, hostname, nonce)
 		if err != nil {
 			return nil, err
 		}
@@ -103,7 +103,7 @@ func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string) (
 }
 // CreateRefreshToken util to create JWT token
-func CreateRefreshToken(user models.User, roles []string, hostname, nonce string) (string, int64, error) {
+func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonce string) (string, int64, error) {
 	// expires in 1 year
 	expiryBound := time.Hour * 8760
 	expiresAt := time.Now().Add(expiryBound).Unix()
@@ -115,6 +115,7 @@ func CreateRefreshToken(user models.User, roles []string, hostname, nonce string
 		"iat":        time.Now().Unix(),
 		"token_type": constants.TokenTypeRefreshToken,
 		"roles":      roles,
 		"scope":      scopes,
 		"nonce":      nonce,
 	}
@@ -198,6 +199,36 @@ func ValidateAccessToken(gc *gin.Context, accessToken string) (map[string]interf
 	return res, nil
 }
 // Function to validate refreshToken
 func ValidateRefreshToken(gc *gin.Context, refreshToken string) (map[string]interface{}, error) {
 	var res map[string]interface{}
 	if refreshToken == "" {
 		return res, fmt.Errorf(`unauthorized`)
 	}
 	savedSession := sessionstore.GetState(refreshToken)
 	if savedSession == "" {
 		return res, fmt.Errorf(`unauthorized`)
 	}
 	savedSessionSplit := strings.Split(savedSession, "@")
 	nonce := savedSessionSplit[0]
 	userID := savedSessionSplit[1]
 	hostname := utils.GetHost(gc)
 	res, err := ParseJWTToken(refreshToken, hostname, nonce, userID)
 	if err != nil {
 		return res, err
 	}
 	if res["token_type"] != constants.TokenTypeRefreshToken {
 		return res, fmt.Errorf(`unauthorized: invalid token type`)
 	}
 	return res, nil
 }
 func ValidateBrowserSession(gc *gin.Context, encryptedSession string) (*SessionData, error) {
 	if encryptedSession == "" {
 		return nil, fmt.Errorf(`unauthorized`)
--- a/server/token/verification_token.go
+++ b/server/token/verification_token.go
@@ -9,7 +9,7 @@ import (
 )
 // CreateVerificationToken creates a verification JWT token
-func CreateVerificationToken(email, tokenType, hostname, nonceHash string) (string, error) {
+func CreateVerificationToken(email, tokenType, hostname, nonceHash, redirectURL string) (string, error) {
 	claims := jwt.MapClaims{
 		"iss":          hostname,
 		"aud":          envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyClientID),
@@ -18,7 +18,7 @@ func CreateVerificationToken(email, tokenType, hostname, nonceHash string) (stri
 		"iat":          time.Now().Unix(),
 		"token_type":   tokenType,
 		"nonce":        nonceHash,
-		"redirect_url": envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL),
+		"redirect_uri": redirectURL,
 	}
 	return SignJWTToken(claims)
Author	SHA1	Message	Date
Lakhan Samani	2bf6b8f91d	fix: remove log	2022-03-09 17:24:53 +05:30
Lakhan Samani	776c0fba8b	chore: app dependencies	2022-03-09 17:21:55 +05:30
Lakhan Samani	dd64aa2e79	feat: add version info	2022-03-09 11:53:34 +05:30
Lakhan Samani	157b13baa7	fix: basic auth redirect	2022-03-09 10:10:39 +05:30
Lakhan Samani	d1e284116d	fix: verification request model	2022-03-09 07:10:07 +05:30
Lakhan Samani	2f9725d8e1	fix: verification request	2022-03-09 06:41:38 +05:30
Lakhan Samani	ee7aea7bee	fix: verify email	2022-03-08 22:55:45 +05:30
Lakhan Samani	5d73df0040	fix: magic link login	2022-03-08 22:41:33 +05:30
Lakhan Samani	60cd317e67	fix: add redirect url to logout	2022-03-08 21:32:42 +05:30
Lakhan Samani	f5bdc8db39	fix: refresh token store info	2022-03-08 21:13:23 +05:30
Lakhan Samani	9eca697a91	fix: refresh token param in string	2022-03-08 19:31:19 +05:30
Lakhan Samani	7136ee924d	fix: rotate refresh token	2022-03-08 19:18:33 +05:30
Lakhan Samani	fd9eb7c733	fix: oauth state split	2022-03-08 19:13:45 +05:30
Lakhan Samani	917eaeb2ed	feat: don't set cookie in case of offline_access	2022-03-08 18:51:46 +05:30
Lakhan Samani	3bb90acc9e	feat: add revoke mutation + handler	2022-03-08 18:49:42 +05:30
Lakhan Samani	a69b8e290c	feat: add ability to get access token based on refresh token	2022-03-08 14:56:46 +05:30
Lakhan Samani	674eeeea4e	chore: bump authorizer-react	2022-03-08 14:20:11 +05:30
Lakhan Samani	8c2bf6ee0d	fix: add token information in redirect url	2022-03-08 12:36:26 +05:30