From 8fbc38be3f7072e8fc7a5074b224c07e4094fa7b Mon Sep 17 00:00:00 2001
From: Frederic Jahn <frederic.jahn@hanko.io>
Date: Fri, 10 Oct 2025 10:41:07 +0200
Subject: [PATCH] chore: make pkce easier to test

---
 .../flow/shared/action_thirdparty_oauth.go    | 24 +++++++++----------
 frontend/elements/src/pages/LoginInitPage.tsx |  4 ++++
 .../src/lib/flow-api/auto-steps.ts            |  6 ++++-
 3 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/backend/flow_api/flow/shared/action_thirdparty_oauth.go b/backend/flow_api/flow/shared/action_thirdparty_oauth.go
index b5652f15..3ddf5fff 100644
--- a/backend/flow_api/flow/shared/action_thirdparty_oauth.go
+++ b/backend/flow_api/flow/shared/action_thirdparty_oauth.go
@@ -3,8 +3,6 @@ package shared
 import (
 	"cmp"
 	"fmt"
-	"github.com/teamhanko/hanko/backend/v2/utils"
-	"net/http"
 	"slices"
 
 	"github.com/teamhanko/hanko/backend/v2/config"
@@ -103,18 +101,18 @@ func (a ThirdPartyOAuth) Execute(c flowpilot.ExecutionContext) error {
 	//	SameSite: http.SameSiteLaxMode,
 	// })
 
-	cookie := &http.Cookie{
-		Name:     utils.HankoThirdpartyStateCookie,
-		Value:    string(state),
-		Path:     "/",
-		Domain:   deps.Cfg.Session.Cookie.Domain,
-		MaxAge:   300,
-		Secure:   true,
-		HttpOnly: deps.Cfg.Session.Cookie.HttpOnly,
-		SameSite: http.SameSiteNoneMode,
-	}
+	//cookie := &http.Cookie{
+	//	Name:     utils.HankoThirdpartyStateCookie,
+	//	Value:    string(state),
+	//	Path:     "/",
+	//	Domain:   deps.Cfg.Session.Cookie.Domain,
+	//	MaxAge:   300,
+	//	Secure:   true,
+	//	HttpOnly: deps.Cfg.Session.Cookie.HttpOnly,
+	//	SameSite: http.SameSiteNoneMode,
+	//}
 
-	deps.HttpContext.SetCookie(cookie)
+	//deps.HttpContext.SetCookie(cookie)
 
 	if err = c.Payload().Set("redirect_url", authCodeUrl); err != nil {
 		return fmt.Errorf("failed to set redirect_url to payload: %w", err)
diff --git a/frontend/elements/src/pages/LoginInitPage.tsx b/frontend/elements/src/pages/LoginInitPage.tsx
index a49e1dc5..89c3f011 100644
--- a/frontend/elements/src/pages/LoginInitPage.tsx
+++ b/frontend/elements/src/pages/LoginInitPage.tsx
@@ -115,9 +115,13 @@ const LoginInitPage = (props: Props) => {
     event.preventDefault();
     setSelectedThirdPartyProvider(name);
 
+    const codeVerifier = crypto.randomUUID();
+    localStorage.setItem("code_verifier", codeVerifier);
+
     const nextState = await flowState.actions.thirdparty_oauth.run({
       provider: name,
       redirect_to: window.location.toString(),
+      code_verifier: codeVerifier,
     });
 
     if (nextState.error) {
diff --git a/frontend/frontend-sdk/src/lib/flow-api/auto-steps.ts b/frontend/frontend-sdk/src/lib/flow-api/auto-steps.ts
index 257d7313..1f04c9bc 100644
--- a/frontend/frontend-sdk/src/lib/flow-api/auto-steps.ts
+++ b/frontend/frontend-sdk/src/lib/flow-api/auto-steps.ts
@@ -90,7 +90,11 @@ export const autoSteps: AutoSteps = {
 
     if (token?.length > 0) {
       updateUrl(["hanko_token"]);
-      return await state.actions.exchange_token.run({ token });
+      const codeVerifier = localStorage.getItem("code_verifier");
+      return await state.actions.exchange_token.run({
+        token,
+        code_verifier: codeVerifier,
+      });
     }
 
     if (error?.length > 0) {