From a88b4aff2a904cd2351002784817d54120766ad8 Mon Sep 17 00:00:00 2001 From: Dexter Chua Date: Tue, 16 Jun 2020 16:45:23 +0800 Subject: [PATCH] Generic OAuth2: Set state: true The OAuth2 specification RECOMMENDS setting the state to protect against CSRF attacks. Some OAuth2 providers (e.g. ORY Hydra) refuse to authenticate without the state set. This is a cherry-pick of 852868419dc03d5dec79e75a3d7692ab670c927f. Signed-off-by: haslersn --- lib/web/auth/oauth2/index.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/web/auth/oauth2/index.js b/lib/web/auth/oauth2/index.js index 1865ad54c..6e3e8373f 100644 --- a/lib/web/auth/oauth2/index.js +++ b/lib/web/auth/oauth2/index.js @@ -90,7 +90,8 @@ passport.use(new OAuth2CustomStrategy({ clientSecret: config.oauth2.clientSecret, callbackURL: config.serverURL + '/auth/oauth2/callback', userProfileURL: config.oauth2.userProfileURL, - scope: config.oauth2.scope + scope: config.oauth2.scope, + state: true }, passportGeneralCallback)) oauth2Auth.get('/auth/oauth2', function (req, res, next) {