Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't include state in OAuth 2 exchange flow #3034

Merged
merged 2 commits into from
Sep 6, 2024
Merged

Don't include state in OAuth 2 exchange flow #3034

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7911d64
Don't include state in OAuth 2 exchange flow if not specified
oleg-codaio Sep 5, 2024
f1fc2d7
Remove state entirely
oleg-codaio Sep 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions packages/bruno-electron/src/ipc/network/oauth2-helper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,11 @@ const resolveOAuth2AuthorizationCodeAccessToken = async (request, collectionUid)
code: authorizationCode,
redirect_uri: callbackUrl,
client_id: clientId,
client_secret: clientSecret,
state: state
client_secret: clientSecret
};
if (state) {
data.state = state;
Copy link
Contributor

@pietrygamat pietrygamat Sep 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I believe the state parameter should not be sent to access_token endpoint at all - it may be required by some services when directing user browser to authorization url, and at this stage of the flow bruno should at most verify if the state parameter was returned from getOAuth2AuthorizationCode - or maybe ignore it, because xsrf attacks the state parameter protects from are not a threat in Bruno integrated browser (may change if #2650 is implemented though).

As a short term solution, I suggest removing line 33

state: state

and skip the if part entirely.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might be right - updated!

}
if (pkce) {
data['code_verifier'] = codeVerifier;
}
Expand Down