Implement oauth2 state correctly

server/cmd/code-annotation/main.go

@@ -76,5 +76,7 @@ func main() {
 	})
 
 	logrus.Info("running...")
-	http.ListenAndServe(fmt.Sprintf("%s:%d", conf.Host, conf.Port), r)
+	if err := http.ListenAndServe(fmt.Sprintf("%s:%d", conf.Host, conf.Port), r); err != nil {
+		panic(err)
+	}
 }

server/handler/auth.go

@@ -12,15 +12,15 @@ import (
 // Login handler redirects user to oauth provider
 func Login(oAuth *service.OAuth) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		url := oAuth.MakeAuthURL()
+		url := oAuth.MakeAuthURL(w, r)
 		http.Redirect(w, r, url, http.StatusTemporaryRedirect)
 	}
 }
 
 // OAuthCallback makes exchange with oauth provider, gets&creates user and redirects to index page with JWT token
 func OAuthCallback(oAuth *service.OAuth, jwt *service.JWT, userRepo *repository.Users, uiDomain string) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		if err := oAuth.ValidateState(r.FormValue("state")); err != nil {
+		if err := oAuth.ValidateState(r, r.FormValue("state")); err != nil {
 			writeResponse(w, respErr(http.StatusBadRequest, err.Error()))
 			return
 		}

server/service/oauth.go

@@ -2,19 +2,18 @@ package service
 
 import (
 	"context"
+	"crypto/rand"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"net/http"
 
+	"github.com/gorilla/sessions"
 	"github.com/src-d/code-annotation/server/model"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/github"
 )
 
-// State is a token to protect the user from CSRF attacks.
-// You must always provide a non-empty string and validate that it matches the the state query parameter on your redirect callback
-// FIXME issue: https://github.com/src-d/code-annotation/issues/21
-const oauthStateString = "state"
-
 // OAuthConfig defines enviroment variables for OAuth
 type OAuthConfig struct {
 	ClientID     string `envconfig:"CLIENT_ID" required:"true"`
@@ -24,6 +23,7 @@ type OAuthConfig struct {
 // OAuth service abstracts OAuth implementation
 type OAuth struct {
 	config *oauth2.Config
+	store  *sessions.CookieStore
 }
 
 // NewOAuth return new OAuth service
@@ -36,6 +36,7 @@ func NewOAuth(clientID, clientSecret string) *OAuth {
 	}
 	return &OAuth{
 		config: config,
+		store:  sessions.NewCookieStore([]byte(clientSecret)),
 	}
 }
 
@@ -47,13 +48,25 @@ type githubUser struct {
 }
 
 // MakeAuthURL returns string for redirect to provider
-func (o *OAuth) MakeAuthURL() string {
-	return o.config.AuthCodeURL(oauthStateString)
+func (o *OAuth) MakeAuthURL(w http.ResponseWriter, r *http.Request) string {
+	b := make([]byte, 16)
+	rand.Read(b)
+	state := base64.URLEncoding.EncodeToString(b)
+
+	session, _ := o.store.Get(r, "sess")
+	session.Values["state"] = state
+	session.Save(r, w)
+
+	return o.config.AuthCodeURL(state)
 }
 
 // ValidateState protects the user from CSRF attacks
-func (o *OAuth) ValidateState(state string) error {
-	if state != oauthStateString {
+func (o *OAuth) ValidateState(r *http.Request, state string) error {
+	session, err := o.store.Get(r, "sess")
+	if err != nil {
+		return fmt.Errorf("can't get session: %s", err)
+	}
+	if state != session.Values["state"] {
 		return fmt.Errorf("incorrect state: %s", state)
 	}
 	return nil