jaredhanson / passport-linkedin

LinkedIn authentication strategy for Passport and Node.js.
https://www.passportjs.org/packages/passport-linkedin/?utm_source=github&utm_medium=referral&utm_campaign=passport-linkedin&utm_content=about
MIT License
141 stars 71 forks source link

CSRF alert - how to pass state query params #21

Open ORESoftware opened 9 years ago

ORESoftware commented 9 years ago

This is a support question, please forgive me for asking here -

I have this code:

  app.get('/auth/linkedin/callback',
        passport.authenticate('linkedin', { failureRedirect: '/charlie' }),
        function(req, res) {

            Linkedin.auth.getAccessToken(res, req.query.code, req.query.state, function(err, results) {
                if ( err ){
                     console.error(err);   // here is our error
                }
                else{
                    req.user.linkedin.access_token = results.access_token;
                    return res.redirect('/');
                }
            });
        });

Linkedin is throwing up an error saying

{ [CSRF Alert: Possible CSRF attack, state parameters do not match.] name: 'CSRF Alert' }

according to the Linkedin developer docs, we should pass in a state query param, like so:

https://developer.linkedin.com/docs/oauth2

sample call:

https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=123456789&redirect_uri=https%3A%2F%2Fwww.example.com%2Fauth%2Flinkedin&state=987654321&scope=r_basicprofile

however, it seems like this lib would have to take care of it somehow?

Could you please pass on any info so that I can take of this? thanks

ORESoftware commented 9 years ago

I tried this, and it didn't seem to work :(

passport.use(new LinkedInStrategy({
        consumerKey: linkedinConfig.clientId,
        consumerSecret: linkedinConfig.clientSecret,
        callbackURL: serverBaseUrl + '/auth/linkedin/callback',
        state: true,  // <<<<
        passReqToCallback : true //passes req as first argument to callback function
    },
ORESoftware commented 9 years ago

perhaps Jared you could answer the question here (I didn't ask the original question):

http://stackoverflow.com/questions/29534351/get-the-state-parameters-from-oauth-callback-in-passportjs

thanks