From e80029e5f0ba9cc6429191b823fb455fbc6de55d Mon Sep 17 00:00:00 2001
From: Cliff Hill <Clifford.hill@gsa.gov>
Date: Fri, 25 Oct 2024 16:29:34 -0400
Subject: [PATCH] Properly handling and validating the state for login.gov

Signed-off-by: Cliff Hill <Clifford.hill@gsa.gov>
---
 app/service_invite/rest.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/app/service_invite/rest.py b/app/service_invite/rest.py
index e7d0d4b20..26718a35f 100644
--- a/app/service_invite/rest.py
+++ b/app/service_invite/rest.py
@@ -32,7 +32,7 @@ service_invite = Blueprint("service_invite", __name__)
 register_errors(service_invite)
 
 
-def _create_service_invite(invited_user, nonce):
+def _create_service_invite(invited_user, nonce, state):
 
     template_id = current_app.config["INVITATION_EMAIL_TEMPLATE_ID"]
 
@@ -58,7 +58,7 @@ def _create_service_invite(invited_user, nonce):
 
     user_data_url_safe = get_user_data_url_safe(data)
 
-    url = url.replace("STATE", user_data_url_safe)
+    url = url.replace("STATE", state)
 
     personalisation = {
         "user_name": invited_user.from_user.name,
@@ -94,11 +94,16 @@ def create_invited_user(service_id):
     except KeyError:
         current_app.logger.exception("nonce not found in submitted data.")
         raise
+    try:
+        state = request_json.pop("state")
+    except KeyError:
+        current_app.logger.exception("state not found in submitted data.")
+        raise
 
     invited_user = invited_user_schema.load(request_json)
     save_invited_user(invited_user)
 
-    _create_service_invite(invited_user, nonce)
+    _create_service_invite(invited_user, nonce, state)
 
     return jsonify(data=invited_user_schema.dump(invited_user)), 201