Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[auth] Add OAuth2 state param for csrf protection #18

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[auth] Add OAuth2 state param for csrf protection #18

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7a372cc
add state param to AuthZ request and verify it
ritou Apr 26, 2018
b6ef863
use Base64 "URL" encode
ritou Apr 26, 2018
7499529
Merge branch 'master' into add-state-param-for-CSRF-protection
JustinBeckwith Oct 9, 2019
7344fef
Merge branch 'master' into add-state-param-for-CSRF-protection
ritou Jun 29, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 25 additions & 4 deletions auth/web/controllers/auth_controller.ex
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,11 @@ defmodule GoogleOAuth2Example.AuthController do
be used to request an access token. The access token will then be used to
access protected resources on behalf of the user.
"""
def callback(conn, %{"code" => code}) do
def callback(conn, %{"code" => code, "state" => state}) when is_binary(state) do
if conn |> get_session(:state) != state do
raise "state parameter is invalid."
end

# Exchange an auth code for an access token
client = Google.get_token!(code: code)

Expand Down Expand Up @@ -36,9 +40,9 @@ defmodule GoogleOAuth2Example.AuthController do
This action is reached via `/auth` and redirects to the Google OAuth2 provider.
"""
def index(conn, _params) do
redirect conn, external: Google.authorize_url!(
scope: "https://www.googleapis.com/auth/userinfo.email"
)
conn
|> set_state()
|> redirect_to_authrization_url()
end

def delete(conn, _params) do
Expand All @@ -47,4 +51,21 @@ defmodule GoogleOAuth2Example.AuthController do
|> configure_session(drop: true)
|> redirect(to: "/")
end

defp set_state(conn) do
case conn |> get_session(:state) do
nil ->
state = :crypto.strong_rand_bytes(32) |> Base.url_encode64 |> binary_part(0, 32)
conn |> put_session(:state, state)
_ -> conn
end
end

defp redirect_to_authrization_url(conn) do
conn
|> redirect( external: Google.authorize_url!(
state: conn |> get_session(:state),
scope: "https://www.googleapis.com/auth/userinfo.email"
))
end
end