From 6ff6d215ab9766bf0faf172a3efa2b4874bfac43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Samuel=20Tr=C3=A9gou=C3=ABt?= <samuel.tregouet@gmail.com>
Date: Mon, 11 May 2020 15:57:58 +0200
Subject: [PATCH] fix: add state parameter for oauth2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

state parameter is recommended with oauth2 authentification
to mitigate CSRF attacks (see [1]).
hydra [2] will throw the following error message if state is
missing:

  description="The state is missing or has less than 8 characters and is therefore considered too weak" error=invalid_state hint="Request
 parameter \"state\" must be at least be 8 characters long to ensure sufficient entropy."

[1]: https://auth0.com/docs/protocols/oauth2/oauth-state
[2]: https://www.ory.sh/hydra/

Signed-off-by: Samuel Trégouët <samuel.tregouet@gmail.com>
---
 lib/auth/oauth2/index.js  | 1 +
 lib/config/default.js     | 1 +
 lib/config/environment.js | 1 +
 3 files changed, 3 insertions(+)

diff --git a/lib/auth/oauth2/index.js b/lib/auth/oauth2/index.js
index f223a159..5c432d3b 100644
--- a/lib/auth/oauth2/index.js
+++ b/lib/auth/oauth2/index.js
@@ -16,6 +16,7 @@ passport.use(new OAuth2CustomStrategy({
   clientSecret: config.oauth2.clientSecret,
   callbackURL: config.serverURL + '/auth/oauth2/callback',
   userProfileURL: config.oauth2.userProfileURL,
+  state: config.oauth2.state,
   scope: config.oauth2.scope
 }, passportGeneralCallback))
 
diff --git a/lib/config/default.js b/lib/config/default.js
index 79bb1aad..95ee1940 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -100,6 +100,7 @@ module.exports = {
     userProfileDisplayNameAttr: 'displayName',
     userProfileEmailAttr: 'email',
     userProfilePhotoAttr: 'photo',
+    state: true,
     scope: 'email'
   },
   facebook: {
diff --git a/lib/config/environment.js b/lib/config/environment.js
index f51ccfb2..0867aecf 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -94,6 +94,7 @@ module.exports = {
     tokenURL: process.env.CMD_OAUTH2_TOKEN_URL,
     userProfileURL: process.env.CMD_OAUTH2_USER_PROFILE_URL,
     scope: process.env.CMD_OAUTH2_SCOPE,
+    state: process.env.CMD_OAUTH2_STATE,
     userProfileUsernameAttr: process.env.CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR,
     userProfileDisplayNameAttr: process.env.CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR,
     userProfileEmailAttr: process.env.CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR,