feat: Enhance OpenID flow with state parameter handling

api/server/routes/oauth.js

@@ -1,6 +1,7 @@
 // file deepcode ignore NoRateLimitingForLogin: Rate limiting is handled by the `loginLimiter` middleware
 const express = require('express');
 const passport = require('passport');
+const client = require('openid-client');
 const {
   checkBan,
   logHeaders,
@@ -107,6 +108,7 @@ router.get(
   '/openid',
   passport.authenticate('openid', {
     session: false,
+    state: client.randomState(),
   }),
 );
 
@@ -115,6 +117,7 @@ router.get(
   passport.authenticate('openid', {
     failureRedirect: `${domains.client}/oauth/error`,
     failureMessage: true,
+    state: client.randomState(),
     session: false,
   }),
   setBalanceConfig,

api/strategies/openidStrategy.js

@@ -28,6 +28,17 @@ class CustomOpenIDStrategy extends OpenIDStrategy {
     const hostAndProtocol = process.env.DOMAIN_SERVER;
     return new URL(`${hostAndProtocol}${req.originalUrl ?? req.url}`);
   }
+
+  /**
+   * Override to ensure proper authorization request parameters
+   */
+  authorizationRequestParams(req, options) {
+    const params = super.authorizationRequestParams?.(req, options) || {};
+    if (options?.state != null && options.state && !params.has('state')) {
+      params.set('state', options.state);
+    }
+    return params;
+  }
 }
 
 /**