state: true leads to &state=true parameter in OAuth requests

jaredhanson / passport-oauth2

OAuth 2.0 authentication strategy for Passport and Node.js.

https://www.passportjs.org/packages/passport-oauth2/?utm_source=github&utm_medium=referral&utm_campaign=passport-oauth2&utm_content=about

MIT License

607 stars 343 forks source link

state: true leads to &state=true parameter in OAuth requests #139

Closed plashenkov closed 3 years ago

plashenkov commented 3 years ago

Hi there!

As you mentioned here, it is possible to use {state: true} to automatically generate and use the state parameter. https://github.com/jaredhanson/passport-facebook/issues/14#issuecomment-22733478 https://github.com/jaredhanson/passport-github/issues/53#issuecomment-178928719

But it seems it doesn't work, and this option simply passes ...&state=true parameter to OAuth queries. Is this a bug? Or maybe I'm doing something wrong?

jaredhanson commented 3 years ago

{ state: true } is intended to be passed to the constructor, not as an option to the strategy. If that is done, the state query parameter will be set to a nonce on the redirect to the OAuth 2.0 server.

That being said, I just released new and improved support for application-level state. More information can be found on the blog: Application State in OAuth 2.0

plashenkov commented 3 years ago

Thanks, Jared! That's great!