Closed jeff-r-koyaltech closed 2 months ago
Hi @jeff-r-koyaltech Thanks for reaching out. Actually, if you notice in README doc under USAGE in the top, it says:
"We assume that you have a basic understanding about OAuth2.0. If not please read API Documentation for clear understanding".
The API Doc link has the following details about the "state" parameter used in the authorizeUri() call:
state
Defines the state between your authorization request and the Intuit OAuth 2.0 Server response.
The state field is used for validation. It checks if the client (i.e. your app) gets the data back that it sent in the original request. Meaning, the state is maintained from send to response.
You can enter any string value for the state. The server should return the exact state : value pair sent in the original request.
Tip: We strongly recommend you include an anti-forgery token for the state and confirm it in the response. This prevents cross-site request forgery. Learn more [about CSRF](https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/faq).
However, if you still feel adding a comment there on "state" parameter will help clarify, please let me know. will add. Thanks.
That's a fair point @rajeshgupta723 . It probably "feels" important to me because I was just learning OAuth 2.0 while also getting familiar with the library.
This is a really trivial one, but would the team object to a PR that documents the purpose of the state variable in the README? It has a value of "testState", but doesn't have any explanation. It's actually really useful for environments where you're trying to integrate with QuickBooks and your app is multi-tenanted in its architecture.