From a88b4aff2a904cd2351002784817d54120766ad8 Mon Sep 17 00:00:00 2001
From: Dexter Chua
Date: Tue, 16 Jun 2020 16:45:23 +0800
Subject: Generic OAuth2: Set state: true

The OAuth2 specification RECOMMENDS setting the state to protect against
CSRF attacks. Some OAuth2 providers (e.g. ORY Hydra) refuse to
authenticate without the state set.

This is a cherry-pick of 852868419dc03d5dec79e75a3d7692ab670c927f.

Signed-off-by: haslersn <sebastian.hasler@gmx.net>
---
 lib/web/auth/oauth2/index.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib/web')

diff --git a/lib/web/auth/oauth2/index.js b/lib/web/auth/oauth2/index.js
index 1865ad54..6e3e8373 100644
--- a/lib/web/auth/oauth2/index.js
+++ b/lib/web/auth/oauth2/index.js
@@ -90,7 +90,8 @@ passport.use(new OAuth2CustomStrategy({
   clientSecret: config.oauth2.clientSecret,
   callbackURL: config.serverURL + '/auth/oauth2/callback',
   userProfileURL: config.oauth2.userProfileURL,
-  scope: config.oauth2.scope
+  scope: config.oauth2.scope,
+  state: true
 }, passportGeneralCallback))
 
 oauth2Auth.get('/auth/oauth2', function (req, res, next) {
-- 
cgit v1.2.3