New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't rely on me
in the callback URL
#79
Comments
This breaks https://commentpara.de, which hands out different user URLs depending on their login. You input https://commentpara.de/ as URL, and the auth endpoint returns https://commentpara.de/user/3.htm |
@cweiske This is just about not using the |
For reference: Taking "me" from the callback is not secure because the user could change/forge that. |
should get the
me
from the session to avoid being tricked into exchanging the auth code at some other serverThe text was updated successfully, but these errors were encountered: