fix: assert state is short enough to be stored in cookie

demo/nextjs/components/sign-in.tsx

@@ -124,7 +124,6 @@ export default function SignIn() {
 							onClick={async () => {
 								await signIn.social({
 									provider: "discord",
-									callbackURL: "/dashboard",
 								});
 							}}
 						>

packages/better-auth/src/api/routes/sign-in.ts

@@ -59,8 +59,7 @@ export const signInOAuth = createAuthEndpoint(
 			: `${currentURL?.origin}${c.body.callbackURL || ""}`;
 
 		const state = generateState(
-			callbackURL || currentURL?.origin || c.context.baseURL,
-			c.query?.currentURL,
+			callbackURL || currentURL?.origin || c.context.options.baseURL,
 		);
 		await c.setSignedCookie(
 			cookie.state.name,

packages/better-auth/src/plugins/generic-oauth/index.ts

@@ -204,8 +204,7 @@ export const genericOAuth = (options: GenericOAuthOptions) => {
 						? ctx.body.callbackURL
 						: `${currentURL?.origin}${ctx.body.callbackURL || ""}`;
 					const state = generateState(
-						callbackURL || currentURL?.origin || ctx.context.baseURL,
-						ctx.query?.currentURL,
+						callbackURL || currentURL?.origin || ctx.context.options.baseURL,
 					);
 					const cookie = ctx.context.authCookies;
 					await ctx.setSignedCookie(

packages/better-auth/src/utils/state.ts

@@ -1,13 +1,18 @@
 import { generateState as generateStateOAuth } from "oslo/oauth2";
 import { z } from "zod";
+import { BetterAuthError } from "../error/better-auth-error";
 
-export function generateState(callbackURL?: string, currentURL?: string) {
+export function generateState(callbackURL?: string) {
 	const code = generateStateOAuth();
 	const state = JSON.stringify({
 		code,
 		callbackURL,
-		currentURL,
 	});
+	if (state.length > 4000) {
+		throw new BetterAuthError(
+			"State is too long to be safely stored in a cookie. Make sure the callbackURL is not too long.",
+		);
+	}
 	return state;
 }