github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-11-25 11:16:31 -05:00
Code Issues Projects Releases Packages Wiki Activity

Generic OAuth2: Set state: true

Browse source 
The OAuth2 specification RECOMMENDS setting the state to protect against
CSRF attacks. Some OAuth2 providers (e.g. ORY Hydra) refuse to
authenticate without the state set.

This is a cherry-pick of 852868419d.

Signed-off-by: haslersn <sebastian.hasler@gmx.net>
This commit is contained in:
Dexter Chua 2020-06-16 16:45:23 +08:00 committed by haslersn
parent a160d81fe3
commit a88b4aff2a
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
lib/web/auth/oauth2/index.js
View file

@ -90,7 +90,8 @@ passport.use(new OAuth2CustomStrategy({
clientSecret: config.oauth2.clientSecret, clientSecret: config.oauth2.clientSecret,
callbackURL: config.serverURL + '/auth/oauth2/callback', callbackURL: config.serverURL + '/auth/oauth2/callback',
userProfileURL: config.oauth2.userProfileURL, userProfileURL: config.oauth2.userProfileURL,
scope: config.oauth2.scope scope: config.oauth2.scope,
state: true
}, passportGeneralCallback)) }, passportGeneralCallback))
oauth2Auth.get('/auth/oauth2', function (req, res, next) { oauth2Auth.get('/auth/oauth2', function (req, res, next) {