Increase detail of state token errors

Before: a missing state error could be returned for 3 reasons: a token was not provided, the token provided was invalid, or the token provided had expired.

There was no way of knowing which of these was the cause of any single missing state error.

Now: if no token is provided, a missing state error is returned, and the "openid-connect-generic-no-state-provided" action is called.

If the token provided is invalid, an "Invalid state" error is thrown and the "openid-connect-generic-state-not-found" action is called.

If the token provided has expired, an "Invalid state" error is returned and the "openid-connect-generic-state-expired" action is called.

This should allow for more granular error logging around state token errors.

includes/openid-connect-generic-client.php

@@ -84,10 +84,15 @@ class OpenID_Connect_Generic_Client {
 		}
 
 		// check the client request state
-		if ( ! isset( $request['state'] ) || ! $this->check_state( $request['state'] ) ){
+		if( ! isset( $request['state']) ) {
+			do_action( 'openid-connect-generic-no-state-provided' );
 			return new WP_Error( 'missing-state', __( 'Missing state.' ), $request );
 		}
 
+		if ( ! $this->check_state( $request['state'] ) ) {
+			return new WP_Error( 'invalid-state', __( 'Invalid state.' ), $request );
+		}
+
 		return $request;
 	}
 
@@ -261,8 +266,20 @@ class OpenID_Connect_Generic_Client {
 	 * @return bool
 	 */
 	function check_state( $state ) {
+
+		$state_found = true;
+
+		if ( ! get_option( '_transient_openid-connect-generic-state--' . $state ) ) {
+			do_action( 'openid-connect-generic-state-not-found', $state );
+			$state_found = false;
+		}
+
 		$valid = get_transient( 'openid-connect-generic-state--' . $state );
 
+		if ( ! $valid && $state_found ) {
+			do_action( 'openid-connect-generic-state-expired', $state );
+		}
+
 		return !!$valid;
 	}