Generic OAuth2: Set state: true

The OAuth2 specification RECOMMENDS setting the state to protect against CSRF attacks. Some OAuth2 providers (e.g. ORY Hydra) refuse to authenticate without the state set. This is a cherry-pick of 852868419dc03d5dec79e75a3d7692ab670c927f. Signed-off-by: haslersn <sebastian.hasler@gmx.net>
author: Dexter Chua 2020-06-16 16:45:23 +0800
committer: haslersn 2020-10-22 22:50:34 +0200
commit: a88b4aff2a904cd2351002784817d54120766ad8 (patch)
tree: 79a0f424d59f9f4982b662f005b6596743bb5e66 /lib/web/auth/oauth2/index.js
parent: a160d81fe33044ca8fbb71addd77c40d55b37251 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/web/auth/oauth2/index.js b/lib/web/auth/oauth2/index.js
index 1865ad54..6e3e8373 100644
--- a/lib/web/auth/oauth2/index.js
+++ b/lib/web/auth/oauth2/index.js
@@ -90,7 +90,8 @@ passport.use(new OAuth2CustomStrategy({
   clientSecret: config.oauth2.clientSecret,
   callbackURL: config.serverURL + '/auth/oauth2/callback',
   userProfileURL: config.oauth2.userProfileURL,
-  scope: config.oauth2.scope
+  scope: config.oauth2.scope,
+  state: true
 }, passportGeneralCallback))
 
 oauth2Auth.get('/auth/oauth2', function (req, res, next) {
author	Dexter Chua	2020-06-16 16:45:23 +0800
committer	haslersn	2020-10-22 22:50:34 +0200
commit	a88b4aff2a904cd2351002784817d54120766ad8 (patch)
tree	79a0f424d59f9f4982b662f005b6596743bb5e66 /lib/web/auth/oauth2/index.js
parent	a160d81fe33044ca8fbb71addd77c40d55b37251 (diff)