rebeccalarner · pull · Nov 6, 2025 · Nov 6, 2025 · Nov 6, 2025
diff --git a/lib/actions/google/drive/google_drive.js b/lib/actions/google/drive/google_drive.js
@@ -238,10 +238,10 @@ class GoogleDriveAction extends Hub.OAuthActionV2 {
         }
     }
     async oauthFetchAccessToken(request) {
-        if (request.params.state) {
+        if (request.fetchTokenState) {
             const actionCrypto = new Hub.ActionCrypto();
-            const plaintext = await actionCrypto.decrypt(request.params.state).catch((err) => {
-                winston.error("Encryption not correctly configured" + err);
+            const plaintext = await actionCrypto.decrypt(request.fetchTokenState).catch((err) => {
+                winston.error("Encryption not correctly configured", { error: err });
                 throw err;
             });
             const state = JSON.parse(plaintext);

diff --git a/lib/api_types/data_webhook_payload.d.ts b/lib/api_types/data_webhook_payload.d.ts
@@ -20,6 +20,8 @@ export interface DataWebhookPayload {
     form_params: {
         [key: string]: string;
     } | null;
+    /** Encrypted data used by /actions/:actionId/oauth_token route */
+    state: string | null;
 }
 export interface RequestDataWebhookPayload {
 }
diff --git a/lib/hub/action_request.d.ts b/lib/hub/action_request.d.ts
@@ -45,6 +45,7 @@ export declare class ActionRequest {
     formParams: ParamMap;
     params: ParamMap;
     scheduledPlan?: ActionScheduledPlan;
+    fetchTokenState?: string;
     type: ActionType;
     actionId?: string;
     instanceId?: string;

diff --git a/lib/hub/action_request.js b/lib/hub/action_request.js
@@ -85,6 +85,9 @@ class ActionRequest {
         if (json.form_params) {
             request.formParams = json.form_params;
         }
+        if (json.state) {
+            request.fetchTokenState = json.state;
+        }
         return request;
     }
     empty() {

diff --git a/lib/hub/action_token.d.ts b/lib/hub/action_token.d.ts
@@ -2,4 +2,5 @@ export declare class ActionToken {
     tokens: any;
     redirect: any;
     constructor(tokens: any, redirect: any);
+    asJson(): any;
 }
diff --git a/lib/hub/action_token.js b/lib/hub/action_token.js
@@ -6,5 +6,11 @@ class ActionToken {
         this.tokens = tokens;
         this.redirect = redirect;
     }
+    asJson() {
+        return {
+            tokens: this.tokens,
+            redirect: this.redirect,
+        };
+    }
 }
 exports.ActionToken = ActionToken;
diff --git a/lib/server/server.js b/lib/server/server.js
@@ -186,7 +186,7 @@ class Server {
             if ((0, hub_1.isOauthActionV2)(action)) {
                 const payload = await action.oauthFetchAccessToken(request);
                 res.type("json");
-                res.send(JSON.stringify(payload));
+                res.send(JSON.stringify(payload.asJson()));
             }
             else {
                 res.statusCode = 404;

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "looker-action-hub",
-  "version": "1.5.26",
+  "version": "1.5.27",
   "description": "",
   "main": "lib/index",
   "scripts": {

diff --git a/src/actions/google/drive/google_drive.ts b/src/actions/google/drive/google_drive.ts
@@ -283,10 +283,10 @@ export class GoogleDriveAction extends Hub.OAuthActionV2 {
   }
 
   async oauthFetchAccessToken(request: Hub.ActionRequest) {
-    if (request.params.state) {
+    if (request.fetchTokenState) {
       const actionCrypto = new Hub.ActionCrypto()
-      const plaintext = await actionCrypto.decrypt(request.params.state).catch((err: string) => {
-        winston.error("Encryption not correctly configured" + err)
+      const plaintext = await actionCrypto.decrypt(request.fetchTokenState).catch((err: string) => {
+        winston.error("Encryption not correctly configured", { error: err })
         throw err
       })
       const state = JSON.parse(plaintext)

diff --git a/src/actions/google/drive/test_google_drive.ts b/src/actions/google/drive/test_google_drive.ts
@@ -405,8 +405,7 @@ describe(`${action.constructor.name} unit tests`, () => {
         const stubAccessToken = sinon.stub(action as any, "getAccessTokenCredentialsFromCode")
           .resolves({tokens: "token"})
         const request = new Hub.ActionRequest()
-        request.params = {
-          state: "eyJjb2RlIjoiY29kZSIsInJlZGlyZWN0dXJpIjoicmVkaXJlY3QifQ"}
+        request.fetchTokenState = "eyJjb2RlIjoiY29kZSIsInJlZGlyZWN0dXJpIjoicmVkaXJlY3QifQ"
         request.webhookId = "testId"
         const tokenPayload = action.oauthFetchAccessToken(request)
         chai.expect(tokenPayload).to.eventually.deep.equal({tokens: {tokens: "token"}, redirect: "redirect"})

diff --git a/src/api_types/data_webhook_payload.ts b/src/api_types/data_webhook_payload.ts
@@ -20,6 +20,8 @@ export interface DataWebhookPayload {
   data: {[key: string]: string} | null
   /** Form parameters associated with the payload. */
   form_params: {[key: string]: string} | null
+  /** Encrypted data used by /actions/:actionId/oauth_token route */
+  state: string | null
 }
 
 export interface RequestDataWebhookPayload {

diff --git a/src/hub/action_request.ts b/src/hub/action_request.ts
@@ -140,13 +140,18 @@ export class ActionRequest {
       request.formParams = json.form_params
     }
 
+    if (json.state) {
+      request.fetchTokenState = json.state
+    }
+
     return request
   }
 
   attachment?: ActionAttachment
   formParams: ParamMap = {}
   params: ParamMap = {}
   scheduledPlan?: ActionScheduledPlan
+  fetchTokenState?: string
   type!: ActionType
   actionId?: string
   instanceId?: string

diff --git a/src/hub/action_token.ts b/src/hub/action_token.ts
@@ -1,3 +1,10 @@
 export class ActionToken {
   constructor(public tokens: any, public redirect: any) {}
+
+  asJson(): any {
+    return {
+      tokens: this.tokens,
+      redirect: this.redirect,
+    }
+  }
 }
diff --git a/src/server/server.ts b/src/server/server.ts
@@ -204,7 +204,7 @@ export default class Server implements Hub.RouteBuilder {
       if (isOauthActionV2(action)) {
         const payload = await (action as OAuthActionV2).oauthFetchAccessToken(request)
         res.type("json")
-        res.send(JSON.stringify(payload))
+        res.send(JSON.stringify(payload.asJson()))
       } else {
         res.statusCode = 404
       }

diff --git a/test/test_action_request.ts b/test/test_action_request.ts
@@ -5,6 +5,25 @@ import {mockReq} from "sinon-express-mock"
 import { ActionRequest } from "../src/hub"
 
 describe("ActionRequest", () => {
+  it("fromRequest correctly parses state from body", () => {
+    const req = mockReq({
+      headers: {
+        "user-agent": "LookerOutgoingWebhook/7.3.0",
+        "x-looker-webhook-id": "123",
+        "x-looker-instance": "instanceId1",
+      },
+      body: {
+        state: "someEncryptedStateString",
+      },
+    })
+
+    // @ts-ignore
+    req.header = (name: string): string | string[] | undefined => req.headers[name]
+
+    const result = ActionRequest.fromRequest(req)
+    chai.expect(result.fetchTokenState).to.equal("someEncryptedStateString")
+  })
+
   it("fromRequest", () => {
 
     const req = mockReq({