julianlam
commented
5 years ago Odd, because core is what adds /auth/:name/callback to the router, not the plugins. How come this duplication is necessary to resolve callback url errors?
Closed BenLubar closed 5 years ago
julianlam
commented
5 years ago Odd, because core is what adds /auth/:name/callback to the router, not the plugins. How come this duplication is necessary to resolve callback url errors?
BenLubar
commented
5 years ago Core checks for CSRF by assuming that all SSO plugins use OAuth2 and sending the CSRF token as the state parameter. Twitter doesn't support OAuth2 for SSO, so the state parameter isn't sent to or from Twitter.
BenLubar
commented
5 years ago Basically, this code runs before the core SSO code and tricks it into thinking the CSRF token was provided. The passport-twitter module does its own CSRF checking, so this isn't a security risk.
It's live on https://what.thedailywtf.com/ if you want to try it out.
julianlam
commented
5 years ago Understood, this looks fine to me :+1: ~though I will likely add your explanation inline via comment~ woops, you did that too :100:
julianlam
commented
5 years ago v2.5.7
See inline comment for why this is safe.
Fixes #28. Fixes #29. Fixes #30.