feat: optional oauth2 module nonce toggle

5f876ced · NGPixel · 12233c47 · 5f876ced · 5f876ced
Unverified Commit 5f876ced authored Jan 29, 2023 by NGPixel
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

authentication.js server/modules/authentication/oauth2/authentication.js +1 -1

definition.yml server/modules/authentication/oauth2/definition.yml +6 -0

No files found.
--- a/server/modules/authentication/oauth2/authentication.js
+++ b/server/modules/authentication/oauth2/authentication.js
@@ -19,7 +19,7 @@ module.exports = {
      callbackURL: conf.callbackURL,
      passReqToCallback: true,
      scope: conf.scope,
-      state: true
+      state: conf.enableCSRFProtection
    }, async (req, accessToken, refreshToken, profile, cb) => {
      try {
        const user = await WIKI.models.users.processProfile({

--- a/server/modules/authentication/oauth2/definition.yml
+++ b/server/modules/authentication/oauth2/definition.yml
@@ -70,3 +70,9 @@ props:
    title: Pass access token via GET query string to User Info Endpoint
    hint: (optional) Pass the access token in an `access_token` parameter attached to the GET query string of the User Info Endpoint URL. Otherwise the access token will be passed in the Authorization header.
    order: 11
+  enableCSRFProtection:
+    type: Boolean
+    default: true
+    title: Enable CSRF protection
+    hint: Pass a nonce state parameter during authentication to protect against CSRF attacks.
+    order: 12