From 852868419dc03d5dec79e75a3d7692ab670c927f Mon Sep 17 00:00:00 2001
From: Dexter Chua <dalcde@yahoo.com.hk>
Date: Tue, 16 Jun 2020 16:45:23 +0800
Subject: [PATCH] Generic OAuth2: Set state: true

The OAuth2 specification RECOMMENDS setting the state to protect against
CSRF attacks. Some OAuth2 providers (e.g. ORY Hydra) refuse to
authenticate without the state set.

Signed-off-by: Dexter Chua <dalcde@yahoo.com.hk>
---
 src/lib/web/auth/oauth2/index.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/lib/web/auth/oauth2/index.ts b/src/lib/web/auth/oauth2/index.ts
index 61ed6af4b..8aa1d8f8d 100644
--- a/src/lib/web/auth/oauth2/index.ts
+++ b/src/lib/web/auth/oauth2/index.ts
@@ -17,7 +17,8 @@ export const OAuth2Middleware: AuthMiddleware = {
       clientSecret: config.oauth2.clientSecret,
       callbackURL: config.serverURL + '/auth/oauth2/callback',
       userProfileURL: config.oauth2.userProfileURL,
-      scope: config.oauth2.scope
+      scope: config.oauth2.scope,
+      state: true
     }, passportGeneralCallback))
 
     OAuth2Auth.get('/auth/oauth2', passport.authenticate('oauth2'))