SUPPORTENG-910_oauth_state_detail

docs/index.html

@@ -1543,7 +1543,7 @@ <h3 id="oauth2">OAuth2</h3>
 </div><div class="row">
   <div class="row-height">
     <div class="col-md-5 col-sm-12 col-height  docs-primary">
-      <p>Zapier&apos;s OAuth2 implementation is based on the <code>authorization_code</code> flow, similar to <a href="https://developer.github.com/v3/oauth/">GitHub</a> and <a href="https://developers.facebook.com/docs/authentication/server-side/">Facebook</a>.</p><blockquote>
+      <p>Zapier&apos;s OAuth2 implementation is based on the <code>authorization_code</code> flow, similar to <a href="https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps">GitHub</a> and <a href="https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow">Facebook</a>.</p><blockquote>
 <p>To create a new integration with OAuth2, run <code>zapier init [your app name] --template oauth2</code>. You can also check out <a href="https://github.com/zapier/zapier-platform/tree/main/example-apps/oauth2">our working example app</a>.</p>
 </blockquote><p>If your app&apos;s OAuth2 flow uses a different grant type, such as <code>client_credentials</code>, try using <a href="#session">Session auth</a> instead.</p><p>The OAuth2 flow looks like this:</p><ol>
 <li>Zapier sends the user to the authorization URL defined by your app.</li>
@@ -1643,7 +1643,10 @@ <h3 id="oauth2">OAuth2</h3>
 </div><div class="row">
   <div class="row-height">
     <div class="col-md-5 col-sm-12 col-height  docs-primary">
-      <p>For OAuth2, <code>authentication.oauth2Config.authorizeUrl</code>, <code>authentication.oauth2Config.getAccessToken</code>, and <code>authentication.oauth2Config.refreshAccessToken</code> have fields like <code>redirect_uri</code> and <code>state</code> in <code>bundle.inputData</code>. After the code is exchanged for an access token and/or refresh token, those tokens are stored in <code>bundle.authData</code> for the connection.</p><p>Also, <code>authentication.oauth2Config.getAccessToken</code> has access to the additional return values in <code>rawRequest</code> and <code>cleanedRequest</code> should you need to extract other values (for example, from the query string).</p><p>If you define <code>fields</code> to collect additional details from the user, please note that <code>client_id</code> and <code>client_secret</code> are reserved keys and cannot be used as keys for input form fields.</p>
+      <p>For OAuth2, <code>authentication.oauth2Config.authorizeUrl</code>, <code>authentication.oauth2Config.getAccessToken</code>, and <code>authentication.oauth2Config.refreshAccessToken</code> have fields like <code>redirect_uri</code> and <code>state</code> in <code>bundle.inputData</code>. After the code is exchanged for an access token and/or refresh token, those tokens are stored in <code>bundle.authData</code> for the connection.</p><p>Also, <code>authentication.oauth2Config.getAccessToken</code> has access to the additional return values in <code>rawRequest</code> and <code>cleanedRequest</code> should you need to extract other values (for example, from the query string).</p><p>If you define <code>fields</code> to collect additional details from the user, please note that <code>client_id</code> and <code>client_secret</code> are reserved keys and cannot be used as keys for input form fields.</p><blockquote>
+<p>Note: The OAuth2 <code>state</code> param is a <a href="https://auth0.com/docs/secure/attack-protection/state-parameters">standard security feature</a> that helps ensure that authorization requests are only coming from your servers. Most OAuth clients have support for this and will send back the <code>state</code> query param that the user brings to your app. The Zapier Platform performs this check and this required field cannot be disabled. The state parameter is automatically generated by Zapier in the background, and can be accessed at <code>bundle.inputData.state</code>. 
+Since Zapier uses the <code>state</code> to verify that GET requests to your redirect URL truly come from your app, it needs to be generated by Zapier so that it can be validated later (once the user confirms that they&apos;d like to grant Zapier permission to access their account in your app).</p>
+</blockquote>
     </div>
     <div class="col-md-7 col-sm-12 col-height is-empty docs-code">
 
@@ -3360,7 +3363,7 @@ <h3 id="bundlecleanedrequest"><code>bundle.cleanedRequest</code></h3>
   <div class="row-height">
     <div class="col-md-5 col-sm-12 col-height  docs-primary">
       <blockquote>
-<p><code>bundle.cleanedRequest</code> is only available in the <code>perform</code> for webhooks, <code>getAccessToken</code> for oauth authentication methods, and <code>performResume</code> in a callback action.</p>
+<p><code>bundle.cleanedRequest</code> is only available in the <code>perform</code> for webhooks, <code>getAccessToken</code> for OAuth authentication methods, and <code>performResume</code> in a callback action.</p>
 </blockquote><p><code>bundle.cleanedRequest</code> will return a formatted and parsed version of the request. Some or all of the following will be available:</p>
     </div>
     <div class="col-md-7 col-sm-12 col-height  docs-code">

packages/cli/README-source.md

@@ -405,7 +405,7 @@ Also, `authentication.oauth1Config.getAccessToken` has access to the additional
 
 ### OAuth2
 
-Zapier's OAuth2 implementation is based on the `authorization_code` flow, similar to [GitHub](https://developer.github.com/v3/oauth/) and [Facebook](https://developers.facebook.com/docs/authentication/server-side/).
+Zapier's OAuth2 implementation is based on the `authorization_code` flow, similar to [GitHub](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps) and [Facebook](https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow).
 
 > To create a new integration with OAuth2, run `zapier init [your app name] --template oauth2`. You can also check out [our working example app](https://github.com/zapier/zapier-platform/tree/main/example-apps/oauth2).
 
@@ -451,6 +451,9 @@ Also, `authentication.oauth2Config.getAccessToken` has access to the additional
 
 If you define `fields` to collect additional details from the user, please note that `client_id` and `client_secret` are reserved keys and cannot be used as keys for input form fields.
 
+> Note: The OAuth2 `state` param is a [standard security feature](https://auth0.com/docs/secure/attack-protection/state-parameters) that helps ensure that authorization requests are only coming from your servers. Most OAuth clients have support for this and will send back the `state` query param that the user brings to your app. The Zapier Platform performs this check and this required field cannot be disabled. The state parameter is automatically generated by Zapier in the background, and can be accessed at `bundle.inputData.state`. 
+Since Zapier uses the `state` to verify that GET requests to your redirect URL truly come from your app, it needs to be generated by Zapier so that it can be validated later (once the user confirms that they'd like to grant Zapier permission to access their account in your app).
+
 
 ### OAuth2 with PKCE
 
@@ -1007,7 +1010,7 @@ In `bundle.rawRequest`, headers other than `Content-Length` and `Content-Type` w
 
 ### `bundle.cleanedRequest`
 
-> `bundle.cleanedRequest` is only available in the `perform` for webhooks, `getAccessToken` for oauth authentication methods, and `performResume` in a callback action.
+> `bundle.cleanedRequest` is only available in the `perform` for webhooks, `getAccessToken` for OAuth authentication methods, and `performResume` in a callback action.
 
 `bundle.cleanedRequest` will return a formatted and parsed version of the request. Some or all of the following will be available:
 

packages/cli/README.md

@@ -763,7 +763,7 @@ Also, `authentication.oauth1Config.getAccessToken` has access to the additional
 
 ### OAuth2
 
-Zapier's OAuth2 implementation is based on the `authorization_code` flow, similar to [GitHub](https://developer.github.com/v3/oauth/) and [Facebook](https://developers.facebook.com/docs/authentication/server-side/).
+Zapier's OAuth2 implementation is based on the `authorization_code` flow, similar to [GitHub](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps) and [Facebook](https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow).
 
 > To create a new integration with OAuth2, run `zapier init [your app name] --template oauth2`. You can also check out [our working example app](https://github.com/zapier/zapier-platform/tree/main/example-apps/oauth2).
 
@@ -871,6 +871,9 @@ Also, `authentication.oauth2Config.getAccessToken` has access to the additional
 
 If you define `fields` to collect additional details from the user, please note that `client_id` and `client_secret` are reserved keys and cannot be used as keys for input form fields.
 
+> Note: The OAuth2 `state` param is a [standard security feature](https://auth0.com/docs/secure/attack-protection/state-parameters) that helps ensure that authorization requests are only coming from your servers. Most OAuth clients have support for this and will send back the `state` query param that the user brings to your app. The Zapier Platform performs this check and this required field cannot be disabled. The state parameter is automatically generated by Zapier in the background, and can be accessed at `bundle.inputData.state`. 
+Since Zapier uses the `state` to verify that GET requests to your redirect URL truly come from your app, it needs to be generated by Zapier so that it can be validated later (once the user confirms that they'd like to grant Zapier permission to access their account in your app).
+
 
 ### OAuth2 with PKCE
 
@@ -1980,7 +1983,7 @@ In `bundle.rawRequest`, headers other than `Content-Length` and `Content-Type` w
 
 ### `bundle.cleanedRequest`
 
-> `bundle.cleanedRequest` is only available in the `perform` for webhooks, `getAccessToken` for oauth authentication methods, and `performResume` in a callback action.
+> `bundle.cleanedRequest` is only available in the `perform` for webhooks, `getAccessToken` for OAuth authentication methods, and `performResume` in a callback action.
 
 `bundle.cleanedRequest` will return a formatted and parsed version of the request. Some or all of the following will be available:
 

packages/cli/docs/index.html

@@ -1543,7 +1543,7 @@ <h3 id="oauth2">OAuth2</h3>
 </div><div class="row">
   <div class="row-height">
     <div class="col-md-5 col-sm-12 col-height  docs-primary">
-      <p>Zapier&apos;s OAuth2 implementation is based on the <code>authorization_code</code> flow, similar to <a href="https://developer.github.com/v3/oauth/">GitHub</a> and <a href="https://developers.facebook.com/docs/authentication/server-side/">Facebook</a>.</p><blockquote>
+      <p>Zapier&apos;s OAuth2 implementation is based on the <code>authorization_code</code> flow, similar to <a href="https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps">GitHub</a> and <a href="https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow">Facebook</a>.</p><blockquote>
 <p>To create a new integration with OAuth2, run <code>zapier init [your app name] --template oauth2</code>. You can also check out <a href="https://github.com/zapier/zapier-platform/tree/main/example-apps/oauth2">our working example app</a>.</p>
 </blockquote><p>If your app&apos;s OAuth2 flow uses a different grant type, such as <code>client_credentials</code>, try using <a href="#session">Session auth</a> instead.</p><p>The OAuth2 flow looks like this:</p><ol>
 <li>Zapier sends the user to the authorization URL defined by your app.</li>
@@ -1643,7 +1643,10 @@ <h3 id="oauth2">OAuth2</h3>
 </div><div class="row">
   <div class="row-height">
     <div class="col-md-5 col-sm-12 col-height  docs-primary">
-      <p>For OAuth2, <code>authentication.oauth2Config.authorizeUrl</code>, <code>authentication.oauth2Config.getAccessToken</code>, and <code>authentication.oauth2Config.refreshAccessToken</code> have fields like <code>redirect_uri</code> and <code>state</code> in <code>bundle.inputData</code>. After the code is exchanged for an access token and/or refresh token, those tokens are stored in <code>bundle.authData</code> for the connection.</p><p>Also, <code>authentication.oauth2Config.getAccessToken</code> has access to the additional return values in <code>rawRequest</code> and <code>cleanedRequest</code> should you need to extract other values (for example, from the query string).</p><p>If you define <code>fields</code> to collect additional details from the user, please note that <code>client_id</code> and <code>client_secret</code> are reserved keys and cannot be used as keys for input form fields.</p>
+      <p>For OAuth2, <code>authentication.oauth2Config.authorizeUrl</code>, <code>authentication.oauth2Config.getAccessToken</code>, and <code>authentication.oauth2Config.refreshAccessToken</code> have fields like <code>redirect_uri</code> and <code>state</code> in <code>bundle.inputData</code>. After the code is exchanged for an access token and/or refresh token, those tokens are stored in <code>bundle.authData</code> for the connection.</p><p>Also, <code>authentication.oauth2Config.getAccessToken</code> has access to the additional return values in <code>rawRequest</code> and <code>cleanedRequest</code> should you need to extract other values (for example, from the query string).</p><p>If you define <code>fields</code> to collect additional details from the user, please note that <code>client_id</code> and <code>client_secret</code> are reserved keys and cannot be used as keys for input form fields.</p><blockquote>
+<p>Note: The OAuth2 <code>state</code> param is a <a href="https://auth0.com/docs/secure/attack-protection/state-parameters">standard security feature</a> that helps ensure that authorization requests are only coming from your servers. Most OAuth clients have support for this and will send back the <code>state</code> query param that the user brings to your app. The Zapier Platform performs this check and this required field cannot be disabled. The state parameter is automatically generated by Zapier in the background, and can be accessed at <code>bundle.inputData.state</code>. 
+Since Zapier uses the <code>state</code> to verify that GET requests to your redirect URL truly come from your app, it needs to be generated by Zapier so that it can be validated later (once the user confirms that they&apos;d like to grant Zapier permission to access their account in your app).</p>
+</blockquote>
     </div>
     <div class="col-md-7 col-sm-12 col-height is-empty docs-code">
 
@@ -3360,7 +3363,7 @@ <h3 id="bundlecleanedrequest"><code>bundle.cleanedRequest</code></h3>
   <div class="row-height">
     <div class="col-md-5 col-sm-12 col-height  docs-primary">
       <blockquote>
-<p><code>bundle.cleanedRequest</code> is only available in the <code>perform</code> for webhooks, <code>getAccessToken</code> for oauth authentication methods, and <code>performResume</code> in a callback action.</p>
+<p><code>bundle.cleanedRequest</code> is only available in the <code>perform</code> for webhooks, <code>getAccessToken</code> for OAuth authentication methods, and <code>performResume</code> in a callback action.</p>
 </blockquote><p><code>bundle.cleanedRequest</code> will return a formatted and parsed version of the request. Some or all of the following will be available:</p>
     </div>
     <div class="col-md-7 col-sm-12 col-height  docs-code">