Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't include state in OAuth 2 exchange flow #3034

Merged
merged 2 commits into from
Sep 6, 2024
Merged

Don't include state in OAuth 2 exchange flow #3034

merged 2 commits into from
Sep 6, 2024

Conversation

oleg-codaio
Copy link
Contributor

Description

Some APIs don't like extraneous properties such as state. Avoiding passing that in unless it's set to a non-empty value.

Fixes #3033.

Contribution Checklist:

  • The pull request only addresses one issue or adds one feature.
  • The pull request does not introduce any breaking changes
  • I have added screenshots or gifs to help explain the change if applicable.
  • I have read the contribution guidelines.
  • Create an issue and link to the pull request.

Note: Keeping the PR small and focused helps make it easier to review and merge. If you have multiple changes you want to make, please consider submitting them as separate pull requests.

Publishing to New Package Managers

Please see here for more information.

pietrygamat
pietrygamat reviewed Sep 5, 2024
View reviewed changes
packages/bruno-electron/src/ipc/network/oauth2-helper.js Outdated
};
if (state) {
data.state = state;
Copy link
Contributor

@pietrygamat pietrygamat Sep 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I believe the state parameter should not be sent to access_token endpoint at all - it may be required by some services when directing user browser to authorization url, and at this stage of the flow bruno should at most verify if the state parameter was returned from getOAuth2AuthorizationCode - or maybe ignore it, because xsrf attacks the state parameter protects from are not a threat in Bruno integrated browser (may change if #2650 is implemented though).

As a short term solution, I suggest removing line 33

state: state

and skip the if part entirely.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might be right - updated!

@oleg-codaio oleg-codaio changed the title Don't include state in OAuth 2 exchange flow if not specified Don't include state in OAuth 2 exchange flow Sep 5, 2024
pietrygamat
pietrygamat approved these changes Sep 5, 2024
View reviewed changes
Copy link
Contributor

@pietrygamat pietrygamat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@helloanoop helloanoop merged commit 5d7f44f into usebruno:main Sep 6, 2024
Its-treason pushed a commit to Its-treason/bruno that referenced this pull request Sep 7, 2024
@oleg-codaio @Its-treason
Don't include state in OAuth 2 exchange flow (usebruno#3034)
3e5ce1b 
* Don't include state in OAuth 2 exchange flow if not specified
* Remove state entirely
@oleg-codaio oleg-codaio deleted the patch-1 branch September 8, 2024 00:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pietrygamat pietrygamat pietrygamat approved these changes

Assignees
No one assigned
Labels
size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OAuth 2.0 auth Get Access Token button results in errors when state is passed in
3 participants
@oleg-codaio @pietrygamat @helloanoop