fix(passcodes): clear encrypted state on expired page redirect

On a redirect to an expired page we should clear the encrypted state cookie from all IDX API values in order to reset it.
guardian · Feb 6, 2025 · 1001900 · 1001900
1 parent a702458
commit 1001900
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/src/server/lib/okta/idx/shared/errorHandling.ts b/src/server/lib/okta/idx/shared/errorHandling.ts
@@ -20,6 +20,25 @@ type HandlePasscodeErrorParams = {
 	expiredPage: RoutePaths;
 };
 
+/**
+ * @name clearIdxStateInEncrytpedStateCookie
+ * @description Clear the IDX state in the encrypted state cookie on a redirect to the expired page to reset the state
+ * @param {Request} req - The express request object
+ * @param {ResponseWithRequestState} res - The express response object
+ */
+const clearIdxStateInEncryptedStateCookie = (
+	req: Request,
+	res: ResponseWithRequestState,
+) => {
+	updateEncryptedStateCookie(req, res, {
+		passcodeUsed: undefined,
+		stateHandle: undefined,
+		stateHandleExpiresAt: undefined,
+		userState: undefined,
+		passcodeFailedCount: undefined,
+	});
+};
+
 /**
  * @name handlePasscodeError
  * @description Handles errors from the IDX API when the user is entering a passcode.
@@ -65,6 +84,7 @@ export const handlePasscodeError = ({
 
 			// if the passcode failed count is 5 or more, redirect to expired page
 			if (updatedPasscodeFailedCount >= 5) {
+				clearIdxStateInEncryptedStateCookie(req, res);
 				return res.redirect(
 					303,
 					addQueryParamsToPath(expiredPage, state.queryParams),