This state parameter is bound between a server and an individual user. This prevents the following attack scenario:
Attacker initializes a new OAuth login, this is then interrupted and forwarded to the victim. The victim continues the OAuth flow thinking its their own, completing it and authenticating the attacker.
I'm not entirely sure if there is more to this attack, or an alternative attack the state parameter protects against. In theory pwncrates should not be vulnerable, given that the victim controls the OAuth callback, and thus also the authenticated account, but its an additional security mechanism so there is little reason not to.
Discord OAuth supports a 'state' parameter, as described in https://discord.com/developers/docs/topics/oauth2#state-and-security
This state parameter is bound between a server and an individual user. This prevents the following attack scenario:
Attacker initializes a new OAuth login, this is then interrupted and forwarded to the victim. The victim continues the OAuth flow thinking its their own, completing it and authenticating the attacker.
I'm not entirely sure if there is more to this attack, or an alternative attack the state parameter protects against. In theory pwncrates should not be vulnerable, given that the victim controls the OAuth callback, and thus also the authenticated account, but its an additional security mechanism so there is little reason not to.