no need to send state when requesting oauth token for user

shiftkey · Sep 12, 2018 · da87502 · da87502
1 parent eb9dbe1
commit da87502
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 12 deletions.
diff --git a/app/src/lib/api.ts b/app/src/lib/api.ts
@@ -865,7 +865,6 @@ export function getOAuthAuthorizationURL(
 
 export async function requestOAuthToken(
   endpoint: string,
-  state: string,
   code: string
 ): Promise<string | null> {
   try {
@@ -879,7 +878,6 @@ export async function requestOAuthToken(
         client_id: ClientID,
         client_secret: ClientSecret,
         code: code,
-        state: state,
       }
     )
     const result = await parsedResponse<IAPIAccessToken>(response)

diff --git a/app/src/lib/dispatcher/dispatcher.ts b/app/src/lib/dispatcher/dispatcher.ts
@@ -821,7 +821,7 @@ export class Dispatcher {
       case 'oauth':
         try {
           log.info(`[Dispatcher] requesting authenticated user`)
-          const user = await requestAuthenticatedUser(action.code)
+          const user = await requestAuthenticatedUser(action.code, action.state)
           if (user) {
             resolveOAuthRequest(user)
           } else if (user === null) {

diff --git a/app/src/lib/oauth.ts b/app/src/lib/oauth.ts
@@ -42,20 +42,17 @@ export function askUserToOAuth(endpoint: string) {
  * the code cannot be used to retrieve a valid GitHub user.
  */
 export async function requestAuthenticatedUser(
-  code: string
+  code: string,
+  state: string
 ): Promise<Account | null | undefined> {
-  if (!oauthState) {
+  if (!oauthState || state !== oauthState.state) {
     log.warn(
       'requestAuthenticatedUser was not called with valid OAuth state. This is likely due to a browser reloading the callback URL. Contact GitHub Support if you believe this is an error'
     )
     return undefined
   }
 
-  const token = await requestOAuthToken(
-    oauthState.endpoint,
-    oauthState.state,
-    code
-  )
+  const token = await requestOAuthToken(oauthState.endpoint, code)
   if (token) {
     return fetchUser(oauthState.endpoint, token)
   } else {

diff --git a/app/src/lib/parse-app-url.ts b/app/src/lib/parse-app-url.ts
@@ -4,6 +4,7 @@ import { testForInvalidChars } from './sanitize-branch'
 export interface IOAuthAction {
   readonly name: 'oauth'
   readonly code: string
+  readonly state: string
 }
 
 export interface IOpenRepositoryFromURLAction {
@@ -83,8 +84,9 @@ export function parseAppURL(url: string): URLActionType {
   const actionName = hostname.toLowerCase()
   if (actionName === 'oauth') {
     const code = getQueryStringValue(query, 'code')
-    if (code != null) {
-      return { name: 'oauth', code }
+    const state = getQueryStringValue(query, 'state')
+    if (code != null && state != null) {
+      return { name: 'oauth', code, state }
     } else {
       return unknown
     }