fix: use App.jwtSecret instead of env for OAuth state token

play-life-backend/main.go

@@ -5767,7 +5767,7 @@ type OAuthStateClaims struct {
 }
 
 // generateOAuthState генерирует JWT state для OAuth
-func generateOAuthState(userID int, jwtSecret string) (string, error) {
+func generateOAuthState(userID int, jwtSecret []byte) (string, error) {
 	claims := OAuthStateClaims{
 		UserID: userID,
 		Type:   "todoist_oauth",
@@ -5777,16 +5777,16 @@ func generateOAuthState(userID int, jwtSecret string) (string, error) {
 		},
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	return token.SignedString([]byte(jwtSecret))
+	return token.SignedString(jwtSecret)
 }
 
 // validateOAuthState проверяет и извлекает user_id из JWT state
-func validateOAuthState(stateString string, jwtSecret string) (int, error) {
+func validateOAuthState(stateString string, jwtSecret []byte) (int, error) {
 	token, err := jwt.ParseWithClaims(stateString, &OAuthStateClaims{}, func(token *jwt.Token) (interface{}, error) {
 		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 		}
-		return []byte(jwtSecret), nil
+		return jwtSecret, nil
 	})
 	if err != nil {
 		return 0, err
@@ -5895,7 +5895,6 @@ func (a *App) todoistOAuthConnectHandler(w http.ResponseWriter, r *http.Request)
 
 	clientID := getEnv("TODOIST_CLIENT_ID", "")
 	clientSecret := getEnv("TODOIST_CLIENT_SECRET", "")
-	jwtSecret := getEnv("JWT_SECRET", "")
 	baseURL := getEnv("WEBHOOK_BASE_URL", "")
 
 	if clientID == "" || clientSecret == "" {
@@ -5906,14 +5905,10 @@ func (a *App) todoistOAuthConnectHandler(w http.ResponseWriter, r *http.Request)
 		sendErrorWithCORS(w, "WEBHOOK_BASE_URL must be configured", http.StatusInternalServerError)
 		return
 	}
-	if jwtSecret == "" {
-		sendErrorWithCORS(w, "JWT_SECRET must be configured", http.StatusInternalServerError)
-		return
-	}
 
 	redirectURI := strings.TrimRight(baseURL, "/") + "/api/integrations/todoist/oauth/callback"
 
-	state, err := generateOAuthState(userID, jwtSecret)
+	state, err := generateOAuthState(userID, a.jwtSecret)
 	if err != nil {
 		log.Printf("Todoist OAuth: failed to generate state: %v", err)
 		sendErrorWithCORS(w, "Failed to generate OAuth state", http.StatusInternalServerError)
@@ -5942,12 +5937,11 @@ func (a *App) todoistOAuthCallbackHandler(w http.ResponseWriter, r *http.Request
 	redirectSuccess := frontendURL + "/?integration=todoist&status=connected"
 	redirectError := frontendURL + "/?integration=todoist&status=error"
 
-	jwtSecret := getEnv("JWT_SECRET", "")
 	clientID := getEnv("TODOIST_CLIENT_ID", "")
 	clientSecret := getEnv("TODOIST_CLIENT_SECRET", "")
 	baseURL := getEnv("WEBHOOK_BASE_URL", "")
 
-	if jwtSecret == "" || clientID == "" || clientSecret == "" || baseURL == "" {
+	if clientID == "" || clientSecret == "" || baseURL == "" {
 		log.Printf("Todoist OAuth: missing configuration")
 		http.Redirect(w, r, redirectError+"&message=config_error", http.StatusTemporaryRedirect)
 		return
@@ -5957,7 +5951,7 @@ func (a *App) todoistOAuthCallbackHandler(w http.ResponseWriter, r *http.Request
 
 	// Проверяем state
 	state := r.URL.Query().Get("state")
-	userID, err := validateOAuthState(state, jwtSecret)
+	userID, err := validateOAuthState(state, a.jwtSecret)
 	if err != nil {
 		log.Printf("Todoist OAuth: invalid state: %v", err)
 		http.Redirect(w, r, redirectError+"&message=invalid_state", http.StatusTemporaryRedirect)