oidc/callback: handle missing state param (#1392)

Without this check, a request without a state parameter will generate an
internal server error and receive a 500-status response.

This change sends the client through the proper error-handling route.

lib/resources/oidc.js

@@ -96,7 +96,9 @@ const loaderTemplate = `
 parse(loaderTemplate); // caches template for future perf.
 
 const stateFor = next => [ generators.state(), Buffer.from(next).toString('base64url') ].join(':');
-const nextFrom = state => Buffer.from(state.split(':')[1], 'base64url').toString();
+const nextFrom = state => {
+  if (state) return Buffer.from(state.split(':')[1], 'base64url').toString();
+};
 
 module.exports = (service, endpoint) => {
   if (!isEnabled()) return;

test/integration/api/oidc.js

@@ -35,12 +35,24 @@ describe('api: /oidc/...', () => {
             url.searchParams.get('code_challenge').should.match(/^[a-zA-Z0-9-_]{43}$/);
             url.searchParams.get('state'         ).should.match(/^[a-zA-Z0-9-_]{43}:$/); // eslint-disable-line space-in-parens,no-multi-spaces
           })));
+
+      it('should redirect to error page if no parameters are provided', testService(service =>
+        service.get('/v1/oidc/callback')
+          .expect(303)
+          .then(({ text, headers }) => {
+            text.should.eql('See Other. Redirecting to http://localhost:8989/#/login?oidcError=internal-server-error');
+            headers.location.should.eql('http://localhost:8989/#/login?oidcError=internal-server-error');
+          })));
     });
   } else { // OIDC not enabled
     describe('GET /oidc/login', () => {
       it('should not exist', testService(service =>
         service.get('/v1/oidc/login')
           .expect(404)));
+
+      it('should not exist', testService(service =>
+        service.get('/v1/oidc/callback')
+          .expect(404)));
     });
   }
 });