jmhossler
commented
3 years ago Thanks for the quick review! I really appreciate it!
Closed jmhossler closed 3 years ago
jmhossler
commented
3 years ago Thanks for the quick review! I really appreciate it!
This should fix #168. With this change, Ueberauth_auth0 will always provide CSRF protection, utilizing the new ueberauth_state_param generated as of version 0.7.0 of Ueberauth.
We need this for our application, and I wanted to contribute upstream if y'all wanted the change as well. This also handles upgrading to ueberauth 0.7.0.
The one change that is breaking, in my opinion, is now the user cannot specify their own state. The only way I could see to make this change not breaking is to keep the existing strategy the same (the only change would be to set the csrf attack protection to false), and then create a new protected strategy that is almost identical except that it doesn't allow the user to specify state, and it just uses the ueberauth_state_param by default.
I also saw an argument to forcing users to use this method, since it is more secure and would automatically protect anyone that is currently using the existing strategy without their own state param.
I'm also not sure how to update the version, but I also don't know which version the maintainer would want to bump this to. I'd say 1.0.0 myself, since the change is breaking, but I know people have a lot of opinions on versions so I'll leave that up to the maintainer.