BadRequestError: checks.state argument is missing when routing between pages using browser's back button

[link01153113]

Checklist

• The issue can be reproduced in the express-openid-connect sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

I have multiple apps using the same domain with the same login system (Cognito). When navigating directly to a page, there are no issues. However, if I navigate to the first page, then go to the second page, and finally click the browser's back button to return to the first page, I always encounter a BadRequestError.

BadRequestError: checks.state argument is missing
    at ResponseContext.callback (/home/node_modules/express-openid-connect/lib/context.js:354:15)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

It only happens on v2 express-openid-connect, but not on v1.
App using v2 is able to return to app using v1 without issue using browser's back button. Somehow it only happens in v2.
Is it the desired behavior or am I overlooking something? Thank you for your time.

Reproduction

1. Login to the portal
2. Route to the first page
3. Route to the second page
4. Click browser's back button to return to the first page.
5. Error shows up

One of the apps setup:

server.use(
        auth({
            authRequired: true,
            issuerBaseURL: `https://cognito-idp.us-east-1.amazonaws.com/${process.env.USER_POOL_ID}`,
            baseURL,
            clientID: `${process.env.COGNITO_CLIENT_ID}`,
            clientSecret: `${process.env.COGNITO_CLIENT_SECRET}`,
            secret,
            authorizationParams: {
                response_type: "code",
                scope: "openid profile",
            },
            routes: {
                postLogoutRedirect: `https://${process.env.COGNITO_USER_POOL_DOMAIN}/logout?client_id=${process.env.COGNITO_CLIENT_ID}&logout_uri=${baseUrl}`,
            },
            afterCallback: async function (req, res, session, decodedState) {
                try {
                    return session;
                } catch (err) {
                    console.error(
                        "There was a problem after auth callback: ",
                        err
                    );
                    return session;
                }
            },
        })
    );

Additional context

No response

express-openid-connect version

2.17.1

Express version

4.18.2

Node.js version

16

[madaster97]

Update: Just to be clear, I think the issue is that your apps are overwriting each other's cookies (specifically the auth_verification cookie). The steps below are to segregate each app's cookies onto a specific server path.

Since your 2 apps are on the same domain, does that mean they're each hosted on different paths?

I had to do something similar before, and it was a pain to deal with and requires you to re-mount your routes based on how your reverse proxy forwards requests. A couple things I remember doing:

1. Configure each app to inject a Path cookie attribute so they get stored separately in the browser (example below). I can't remember if I needed different cookie names as well, but worth testing
2. Re-mount my app on the /<path> I had just configured. This will depend on how your proxy forwards the requests. Is it stripping out the first path before forwarding to your node server?

Add cookie path config:

server.use(
        auth({
            ...,
            session:{
                name: '<Different name for each app, to avoid cookie name collision>',
                cookie: {
                    path: '<Different path for each app>'
                }
            }
        })
    );

[natewaddoups]

There might be fewer requests for help with this error message if it was changed from:

"checks.state argument is missing"
to
"checks.state is not present in the auth_verification cookie"

The current error message probably made sense to whoever was writing the function that was invoked with a "checks" object that was missing a "state" property, but it's meaningless to those of us who are using this library, since we didn't call that function ourselves.

I'd submit a PR to fix this, but I can't figure out where the phrase "argument is missing" is coming from. I searched the repo, but apparently it only appears in test cases.

edit: this is now a feature request