As @cnelson pointed out, we currently pass "state" as the state token instead of a long unguessable string, and we don't verify it on auth callback. We should do this here or possibly send a patch to goth to handle it there--see https://github.com/markbates/goth/issues/136.
Could be another interesting issue to tackle with @jseppi.
As @cnelson pointed out, we currently pass "state" as the state token instead of a long unguessable string, and we don't verify it on auth callback. We should do this here or possibly send a patch to goth to handle it there--see https://github.com/markbates/goth/issues/136.
Could be another interesting issue to tackle with @jseppi.