HomePhorge
Diffusion Phorge 8c3ef4b73c66

Support "state" parameter in OAuth
8c3ef4b73c66
Actions

Description

Support "state" parameter in OAuth

Summary:
Ref T1445. Ref T1536. Although we have separate CSRF protection and have never been vulnerable to OAuth hijacking, properly implementing the "state" parameter provides a little more certainty.

Before OAuth, we set a random value on the client, and pass its hash as the "state" parameter. Upon return, validate that (a) the user has a nonempty "phcid" cookie and (b) the OAuth endpoint passed back the correct state (the hash of that cookie).

Test Plan: Logged in with all OAuth providers, which all apparently support state.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, arice

Maniphest Tasks: T1445, T1536

Differential Revision: https://secure.phabricator.com/D6179

Details

Provenance
epriestleyAuthored on Jun 16 2013, 10:18 AM
themackabuPushed on Mar 25 2025, 8:07 PM
Parents
rPfdbd3776255f: Replace old login validation controller with new one
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (4)

PathSize
src/
aphront/
applications/
auth/
controller/
provider/

rP8c3ef4b73c66

View Options

src/aphront/AphrontRequest.php

Loading...
View Options

src/applications/auth/controller/PhabricatorAuthController.php

Loading...
View Options

src/applications/auth/controller/PhabricatorAuthStartController.php

Loading...
View Options

src/applications/auth/provider/PhabricatorAuthProviderOAuth.php

Loading...