From da875020a218e696aee3ff0677e0ba8999d59216 Mon Sep 17 00:00:00 2001
From: evelyn masso <outofambit@github.com>
Date: Mon, 10 Sep 2018 21:07:31 -0700
Subject: [PATCH] no need to send state when requesting oauth token for user

---
 app/src/lib/api.ts                   |  2 --
 app/src/lib/dispatcher/dispatcher.ts |  2 +-
 app/src/lib/oauth.ts                 | 11 ++++-------
 app/src/lib/parse-app-url.ts         |  6 ++++--
 4 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/app/src/lib/api.ts b/app/src/lib/api.ts
index 68aba92fc9d..3b8f8a77c09 100644
--- a/app/src/lib/api.ts
+++ b/app/src/lib/api.ts
@@ -865,7 +865,6 @@ export function getOAuthAuthorizationURL(
 
 export async function requestOAuthToken(
   endpoint: string,
-  state: string,
   code: string
 ): Promise<string | null> {
   try {
@@ -879,7 +878,6 @@ export async function requestOAuthToken(
         client_id: ClientID,
         client_secret: ClientSecret,
         code: code,
-        state: state,
       }
     )
     const result = await parsedResponse<IAPIAccessToken>(response)
diff --git a/app/src/lib/dispatcher/dispatcher.ts b/app/src/lib/dispatcher/dispatcher.ts
index 993fddc293b..101102346ef 100644
--- a/app/src/lib/dispatcher/dispatcher.ts
+++ b/app/src/lib/dispatcher/dispatcher.ts
@@ -821,7 +821,7 @@ export class Dispatcher {
       case 'oauth':
         try {
           log.info(`[Dispatcher] requesting authenticated user`)
-          const user = await requestAuthenticatedUser(action.code)
+          const user = await requestAuthenticatedUser(action.code, action.state)
           if (user) {
             resolveOAuthRequest(user)
           } else if (user === null) {
diff --git a/app/src/lib/oauth.ts b/app/src/lib/oauth.ts
index 8306307058a..10a332f28ad 100644
--- a/app/src/lib/oauth.ts
+++ b/app/src/lib/oauth.ts
@@ -42,20 +42,17 @@ export function askUserToOAuth(endpoint: string) {
  * the code cannot be used to retrieve a valid GitHub user.
  */
 export async function requestAuthenticatedUser(
-  code: string
+  code: string,
+  state: string
 ): Promise<Account | null | undefined> {
-  if (!oauthState) {
+  if (!oauthState || state !== oauthState.state) {
     log.warn(
       'requestAuthenticatedUser was not called with valid OAuth state. This is likely due to a browser reloading the callback URL. Contact GitHub Support if you believe this is an error'
     )
     return undefined
   }
 
-  const token = await requestOAuthToken(
-    oauthState.endpoint,
-    oauthState.state,
-    code
-  )
+  const token = await requestOAuthToken(oauthState.endpoint, code)
   if (token) {
     return fetchUser(oauthState.endpoint, token)
   } else {
diff --git a/app/src/lib/parse-app-url.ts b/app/src/lib/parse-app-url.ts
index b9e38022ccb..6412b0874a9 100644
--- a/app/src/lib/parse-app-url.ts
+++ b/app/src/lib/parse-app-url.ts
@@ -4,6 +4,7 @@ import { testForInvalidChars } from './sanitize-branch'
 export interface IOAuthAction {
   readonly name: 'oauth'
   readonly code: string
+  readonly state: string
 }
 
 export interface IOpenRepositoryFromURLAction {
@@ -83,8 +84,9 @@ export function parseAppURL(url: string): URLActionType {
   const actionName = hostname.toLowerCase()
   if (actionName === 'oauth') {
     const code = getQueryStringValue(query, 'code')
-    if (code != null) {
-      return { name: 'oauth', code }
+    const state = getQueryStringValue(query, 'state')
+    if (code != null && state != null) {
+      return { name: 'oauth', code, state }
     } else {
       return unknown
     }