fix(handlers): skip varcheck for state when allowEmptyState

Author: jankapunkt

lib/handlers/authorize-handler.js

@@ -238,13 +238,14 @@ AuthorizeHandler.prototype.getScope = function(request) {
 
 AuthorizeHandler.prototype.getState = function(request) {
   const state = request.body.state || request.query.state;
-
-  if (!this.allowEmptyState && !state) {
-    throw new InvalidRequestError('Missing parameter: `state`');
-  }
-
-  if (!is.vschar(state)) {
-    throw new InvalidRequestError('Invalid parameter: `state`');
+  const stateExists = state && state.length > 0;
+  const stateIsValid = stateExists
+    ? is.vschar(state)
+    : this.allowEmptyState;
+
+  if (!stateIsValid) {
+    const message = (!stateExists) ? 'Missing' : 'Invalid';
+    throw new InvalidRequestError(`${message} parameter: \`state\``);
   }
 
   return state;

test/integration/handlers/authorize-handler_test.js

@@ -932,6 +932,18 @@ describe('AuthorizeHandler integration', function() {
       }
     });
 
+    it('should allow missing `state` if `allowEmptyState` is valid', function () {
+      const model = {
+        getAccessToken: function() {},
+        getClient: function() {},
+        saveAuthorizationCode: function() {}
+      };
+      const handler = new AuthorizeHandler({ allowEmptyState: true, authorizationCodeLifetime: 120, model: model });
+      const request = new Request({ body: {}, headers: {}, method: {}, query: {} });
+      const state = handler.getState(request);
+      should.equal(state, undefined);
+    });
+
     it('should throw an error if `state` is invalid', function() {
       const model = {
         getAccessToken: function() {},