From da875020a218e696aee3ff0677e0ba8999d59216 Mon Sep 17 00:00:00 2001 From: evelyn masso <outofambit@github.com> Date: Mon, 10 Sep 2018 21:07:31 -0700 Subject: [PATCH] no need to send state when requesting oauth token for user --- app/src/lib/api.ts | 2 -- app/src/lib/dispatcher/dispatcher.ts | 2 +- app/src/lib/oauth.ts | 11 ++++------- app/src/lib/parse-app-url.ts | 6 ++++-- 4 files changed, 9 insertions(+), 12 deletions(-) diff --git a/app/src/lib/api.ts b/app/src/lib/api.ts index 68aba92fc9d..3b8f8a77c09 100644 --- a/app/src/lib/api.ts +++ b/app/src/lib/api.ts @@ -865,7 +865,6 @@ export function getOAuthAuthorizationURL( export async function requestOAuthToken( endpoint: string, - state: string, code: string ): Promise<string | null> { try { @@ -879,7 +878,6 @@ export async function requestOAuthToken( client_id: ClientID, client_secret: ClientSecret, code: code, - state: state, } ) const result = await parsedResponse<IAPIAccessToken>(response) diff --git a/app/src/lib/dispatcher/dispatcher.ts b/app/src/lib/dispatcher/dispatcher.ts index 993fddc293b..101102346ef 100644 --- a/app/src/lib/dispatcher/dispatcher.ts +++ b/app/src/lib/dispatcher/dispatcher.ts @@ -821,7 +821,7 @@ export class Dispatcher { case 'oauth': try { log.info(`[Dispatcher] requesting authenticated user`) - const user = await requestAuthenticatedUser(action.code) + const user = await requestAuthenticatedUser(action.code, action.state) if (user) { resolveOAuthRequest(user) } else if (user === null) { diff --git a/app/src/lib/oauth.ts b/app/src/lib/oauth.ts index 8306307058a..10a332f28ad 100644 --- a/app/src/lib/oauth.ts +++ b/app/src/lib/oauth.ts @@ -42,20 +42,17 @@ export function askUserToOAuth(endpoint: string) { * the code cannot be used to retrieve a valid GitHub user. */ export async function requestAuthenticatedUser( - code: string + code: string, + state: string ): Promise<Account | null | undefined> { - if (!oauthState) { + if (!oauthState || state !== oauthState.state) { log.warn( 'requestAuthenticatedUser was not called with valid OAuth state. This is likely due to a browser reloading the callback URL. Contact GitHub Support if you believe this is an error' ) return undefined } - const token = await requestOAuthToken( - oauthState.endpoint, - oauthState.state, - code - ) + const token = await requestOAuthToken(oauthState.endpoint, code) if (token) { return fetchUser(oauthState.endpoint, token) } else { diff --git a/app/src/lib/parse-app-url.ts b/app/src/lib/parse-app-url.ts index b9e38022ccb..6412b0874a9 100644 --- a/app/src/lib/parse-app-url.ts +++ b/app/src/lib/parse-app-url.ts @@ -4,6 +4,7 @@ import { testForInvalidChars } from './sanitize-branch' export interface IOAuthAction { readonly name: 'oauth' readonly code: string + readonly state: string } export interface IOpenRepositoryFromURLAction { @@ -83,8 +84,9 @@ export function parseAppURL(url: string): URLActionType { const actionName = hostname.toLowerCase() if (actionName === 'oauth') { const code = getQueryStringValue(query, 'code') - if (code != null) { - return { name: 'oauth', code } + const state = getQueryStringValue(query, 'state') + if (code != null && state != null) { + return { name: 'oauth', code, state } } else { return unknown }