State is set in /login route to
var state = generateRandomString(16);
res.cookie(stateKey, state);
And then updated and checked in /callback route with
var state = req.query.state || null;
var storedState = req.cookies ? req.cookies[stateKey] : null
if (state === null || state !== storedState) {
As "state" is overwritten with the users incoming query.state, wouldn't that mean that if a users traffic was interrupted by a malicious user, they could just use whatever string they wanted in their query, as long as it corresponded to their cookie and overtake the connection? Why do you overwrite the state variable at all? Shouldn't it be kept the same as when assigned in the /login route and then used as a basis for comparison and security?