Bug: OAuth callback crashes on malformed `state` due to unhandled `decodeURIComponent` error

[7vignesh]

Description

The OAuth callback endpoint decodes the state query parameter without guarding against invalid percent-encoding, which can throw a URIError and break the entire callback flow.

Code reference: CallbackEndpoint.ts:44

At that line, decodeURIComponent(state) is called directly inside Promise.all. If state contains malformed encoding (e.g., a trailing % or an invalid UTF-8 sequence), decodeURIComponent throws a URIError and the endpoint fails before building a safe callback response.

---

Steps to Reproduce

1. Trigger the callback endpoint with a malformed state value:
   /api/apps/public/{appId}/callback?code=valid_code&state=%E0%A4%A
2. Observe server logs and response.
3. The request fails before token exchange handling completes.

---

Expected Behavior

The endpoint should handle malformed state safely and return a controlled callback response (e.g., 400 with a user-friendly error page), not crash/fail via an unhandled decode error.

---

Actual Behavior

Malformed state causes decodeURIComponent to throw, which interrupts request handling and breaks the OAuth callback flow.

---

Impact

• Login flow can fail unexpectedly for users.
• Crafted callback URLs can cause repeated endpoint failures.

---

Suggested Fix Direction

• Wrap state decoding in a try/catch block:

let decodedState: string;
try {
 decodedState = decodeURIComponent(state);
} catch (e) {
 return context.sendJson({ error: 'Invalid state parameter' }, 400);
}

• Validate origin/state before use.
• Return a controlled error response when state is invalid.

---

Note: This issue was identified while reviewing the OAuth callback implementation. A fix would improve robustness against both accidental and crafted malformed callback URLs.