From d85147ead007b59064a1806f2a363178a29b22b9 Mon Sep 17 00:00:00 2001
From: K900 <me@0upti.me>
Date: Sat, 27 Apr 2024 15:00:42 +0300
Subject: [PATCH] nixos/oauth2_proxy_nginx: fix URL escaping

---
 nixos/modules/services/security/oauth2_proxy_nginx.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix
index 1b86656c7d4c..91d846abb36e 100644
--- a/nixos/modules/services/security/oauth2_proxy_nginx.nix
+++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix
@@ -87,9 +87,9 @@ in
         "/oauth2/auth" = let
           maybeQueryArg = name: value:
             if value == null then null
-            else "${name}=${lib.concatStringsSep "," value}";
+            else "${name}=${lib.concatStringsSep "," (builtins.map lib.escapeURL value)}";
           allArgs = lib.mapAttrsToList maybeQueryArg conf;
-          cleanArgs = builtins.map lib.escapeURL (builtins.filter (x: x != null) allArgs);
+          cleanArgs = builtins.filter (x: x != null) allArgs;
           cleanArgsStr = lib.concatStringsSep "&" cleanArgs;
         in {
           # nginx doesn't support passing query string arguments to auth_request,