Use internal implementation for state generation & verification

2017-07-02 22:42:14 -05:00 · 2017-07-02 22:42:14 -05:00 · 7c4be1d295
--- a/lib/strategy.js
+++ b/lib/strategy.js
@ -10,6 +10,7 @@ var OAuth2Strategy = require('passport-oauth2'),
 *    clientID: The client ID provided when you registered your app.
 *    clientSecret: The client secret provided when you registered your app.
 *    action: This is either "signup" or "signin", by default it's "signin".
+ *    state: This must be set to "true", it helps prevent CSRF attacks.
 *
 * @param options
 * @param verify
@ -35,9 +36,10 @@ util.inherits(Strategy, OAuth2Strategy);
 Strategy.prototype.authorizationParams = function(options) {
    var params = {};

-    if (options.action) {
-      params['action'] = options.action;
-    }
+    if (options.action) { params['action'] = options.action; }
+
+    // Webmaker requires state generation and verification be enabled, or it will throw an error.
+    if (options.state) { params['state'] = options.state; }

    // This is just to get around a temporary bug of Webmaker calling "scope" as "scopes" and therefore rejecting "scope".
    //TODO: Properly deal with multi-scope scenarios, currently an error is thrown.
@ -45,10 +47,6 @@ Strategy.prototype.authorizationParams = function(options) {
      params['scopes'] = options.scope;
      options.scope = null;
    }
-
-    //TODO: Implement state verification, to prevent CSRF attacks
-    options.state = options.state || Math.random().toString(36).substring(2, 8);
-
    return params;
 };