Make state encoding signatures consistent

oauth2-proxy · Feb 20, 2021 · 0bcafcc · 0bcafcc
1 parent 6414933
commit 0bcafcc
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/oauthproxy.go b/oauthproxy.go
@@ -649,7 +649,7 @@ func (p *OAuthProxy) OAuthStart(rw http.ResponseWriter, req *http.Request) {
 	callbackRedirect := p.getOAuthRedirectURI(req)
 	loginURL := p.provider.GetLoginURL(
 		callbackRedirect,
-		encodeState(csrf, appRedirect),
+		encodeState(csrf.HashOAuthState(), appRedirect),
 		csrf.HashOIDCNonce(),
 	)
 
@@ -1109,8 +1109,8 @@ func extractAllowedGroups(req *http.Request) map[string]struct{} {
 
 // encodedState builds the OAuth state param out of our nonce and
 // original application redirect
-func encodeState(csrf cookies.CSRF, redirect string) string {
-	return fmt.Sprintf("%v:%v", csrf.HashOAuthState(), redirect)
+func encodeState(nonce string, redirect string) string {
+	return fmt.Sprintf("%v:%v", nonce, redirect)
 }
 
 // decodeState splits the reflected OAuth state response back into

diff --git a/pkg/cookies/cookies.go b/pkg/cookies/cookies.go
@@ -36,7 +36,7 @@ func MakeCookieFromOptions(req *http.Request, name string, value string, opts *o
 		SameSite: ParseSameSite(opts.SameSite),
 	}
 
-	WarnInvalidDomain(c, req)
+	warnInvalidDomain(c, req)
 
 	return c
 }
@@ -69,9 +69,9 @@ func ParseSameSite(v string) http.SameSite {
 	}
 }
 
-// WarnInvalidDomain logs a warning if the request host and cookie domain are
+// warnInvalidDomain logs a warning if the request host and cookie domain are
 // mismatched.
-func WarnInvalidDomain(c *http.Cookie, req *http.Request) {
+func warnInvalidDomain(c *http.Cookie, req *http.Request) {
 	if c.Domain == "" {
 		return
 	}