diff --git a/auth.js b/auth.js
index 390ea95..d3c4d0f 100644
--- a/auth.js
+++ b/auth.js
@@ -17,7 +17,7 @@ export class Auth {
     this.giteaClientSecret = giteaClientSecret
   }
 
-  async redirect(event) {
+  redirectUrl(state) {
     const url = new URL(
       this.giteaWebBaseUrl + '/login/oauth/authorize'
     )
@@ -28,14 +28,23 @@ export class Auth {
       'redirect_uri',
       this.remoteBaseUrl + '/auth/callback'
     )
+    search.set('state', state)
+    url.search = search.toString()
+    return url.toString()
+  }
+
+  buildState() {
     const timestamp = new Date().valueOf()
     const randomInt = Math.floor(Math.random() * 10000)
     // TODO: sign
-    const state = `${randomInt}-${timestamp}`
-    search.set('state', state)
-    url.search = search.toString()
+    return `${randomInt}-${timestamp}`
+  }
+
+  async redirect(event) {
+    const state = this.buildState()
+    const url = this.redirectUrl(state)
     const headers = new Headers({
-      Location: url.toString()
+      Location: url
     })
     cookie.setCookie(headers, {
       name: 'oauth.gitea.state',