From cfaa80a9e723c4af6e30eb796321db5184a7a6d5 Mon Sep 17 00:00:00 2001
From: David Flanagan <david@rawkode.dev>
Date: Tue, 28 Nov 2023 20:34:49 +0000
Subject: [PATCH] fix: ensure state is passed through for both github app types
 (#279)

---
 .changeset/hip-owls-give.md                      |  5 +++++
 .../src/providers/github/authFlow.ts             | 16 ++++++++--------
 2 files changed, 13 insertions(+), 8 deletions(-)
 create mode 100644 .changeset/hip-owls-give.md

diff --git a/.changeset/hip-owls-give.md b/.changeset/hip-owls-give.md
new file mode 100644
index 00000000..25f50c2a
--- /dev/null
+++ b/.changeset/hip-owls-give.md
@@ -0,0 +1,5 @@
+---
+'@hono/oauth-providers': patch
+---
+
+ensure CSRF state returned to GitHub apps
diff --git a/packages/oauth-providers/src/providers/github/authFlow.ts b/packages/oauth-providers/src/providers/github/authFlow.ts
index 743427fe..c5fcb4d9 100644
--- a/packages/oauth-providers/src/providers/github/authFlow.ts
+++ b/packages/oauth-providers/src/providers/github/authFlow.ts
@@ -43,15 +43,15 @@ export class AuthFlow {
   redirect() {
     const url = 'https://github.com/login/oauth/authorize?'
 
-    if (this.oauthApp) {
-      const parsedScope = toQueryParams({
-        scope: this.scope,
-        state: this.state,
-      })
-      return `${url}${parsedScope}&client_id=${this.client_id}`
-    }
+    const queryParams = toQueryParams({
+      client_id: this.client_id,
+      state: this.state,
+      // For GitHub apps, the scope is configured during the app setup / creation.
+      // For OAuth apps, we need to provide the scope.
+      ...(this.oauthApp && { scope: this.scope }),
+    })
 
-    return `${url}client_id=${this.client_id}`
+    return url.concat(queryParams);
   }
 
   private async getTokenFromCode() {