Page MenuHomePhorge
Files F2577463

No OneTemporary
Actions

Size
2 KB
Referenced Files
None
Subscribers
None

View Options

diff --git a/changelog.d/ueberauth.fix b/changelog.d/ueberauth.fix
new file mode 100644
index 000000000..7a37cc03d
--- /dev/null
+++ b/changelog.d/ueberauth.fix
@@ -0,0 +1 @@
+ Save OAuth state into session instead of a URL parameter, since ueberauth uses "state" for CSRF protection now
\ No newline at end of file
diff --git a/lib/pleroma/web/o_auth/o_auth_controller.ex b/lib/pleroma/web/o_auth/o_auth_controller.ex
index 0b3de5481..ce5f944b4 100644
--- a/lib/pleroma/web/o_auth/o_auth_controller.ex
+++ b/lib/pleroma/web/o_auth/o_auth_controller.ex
@@ -420,13 +420,10 @@ defmodule Pleroma.Web.OAuth.OAuthController do
|> Map.put("scope", scope)
|> Jason.encode!()
- params =
- auth_attrs
- |> Map.drop(~w(scope scopes client_id redirect_uri))
- |> Map.put("state", state)
+ conn = put_session(conn, :o_auth_state, state)
# Handing the request to Ueberauth
- redirect(conn, to: Routes.o_auth_path(conn, :request, provider, params))
+ redirect(conn, to: Routes.o_auth_path(conn, :request, provider))
end
def request(%Plug.Conn{} = conn, params) do
@@ -445,7 +442,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
end
def callback(%Plug.Conn{assigns: %{ueberauth_failure: failure}} = conn, params) do
- params = callback_params(params)
+ params = callback_params(conn, params)
messages = for e <- Map.get(failure, :errors, []), do: e.message
message = Enum.join(messages, "; ")
@@ -458,7 +455,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
end
def callback(%Plug.Conn{} = conn, params) do
- params = callback_params(params)
+ params = callback_params(conn, params)
with {:ok, registration} <- Authenticator.get_registration(conn) do
auth_attrs = Map.take(params, ~w(client_id redirect_uri scope scopes state))
@@ -488,7 +485,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do
end
end
- defp callback_params(%{"state" => state} = params) do
+ defp callback_params(conn, params) do
+ state = get_session(conn, :o_auth_state)
+
Map.merge(params, Jason.decode!(state))
end

File Metadata

Mime Type
text/x-diff
Expires
Tue, Jun 24, 7:52 AM (19 h, 22 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
234763
Default Alt Text
(2 KB)

Event Timeline