VippsCallbackHandler - Meander Platform - Likeperson App

Description

Receives the OAuth callback redirect from Vipps after the user completes authentication, extracts the authorization code and state parameter, and routes the request to VippsAuthService for token exchange. Validates the state parameter to prevent CSRF attacks and handles error codes returned by Vipps in the redirect. Acts as the HTTP boundary between the Vipps platform and the internal authentication pipeline.

Feature: Vipps Authentication

vipps-callback-handler

Sources & reasoning

Line 42 names Vipps as preferred by all four organizations, deferred to Fase 2 (= v1.0) alongside BankID. Line 379 explicitly notes the monthly Vipps cost and cost-sharing requirement, confirming it as a concrete deliverable with a commercial prerequisite that must be resolved before release.

docs/source/likeperson.md · line 42

Alle fire organisasjoner peker på BankID eller Vipps som foretrukket autentisering ved førstegangs innlogging
docs/source/likeperson.md · line 379

Vipps login-kostnad (350-750 kr/mnd) fordeles mellom organisasjonene - avtal modell

Responsibilities

Accept the incoming OAuth redirect from Vipps at the registered callback URL
Validate the state parameter against the session-stored value to prevent CSRF
Extract the authorization code or error payload from the query parameters
Forward valid callbacks to VippsAuthService and return a platform session to the client
Return appropriate error responses for denied consent or Vipps-side failures

Interfaces

handleCallback(req: HttpRequest): HttpResponse

validateState(receivedState: string, sessionState: string): boolean

extractAuthCode(query: QueryParams): string

handleVippsError(error: string, errorDescription: string): HttpResponse