From dfabd56ce21f77ac729d23775002555f8ee5134d Mon Sep 17 00:00:00 2001
From: Yauhen Kharuzhy <jekhor@gmail.com>
Date: Fri, 10 Aug 2012 13:40:47 +0300
Subject: [PATCH] Allow to disable CSRF protection in individual strategies

Some OAuth2 providers ignore 'state' parameter, and don't return it back
to the client. CSRF protection with this parameter is impossible for such
services.

Add a boolean option :provider_ignores_state for disable CSRF protection
for individual strategies.

Signed-off-by: Yauhen Kharuzhy <jekhor@gmail.com>
---
 lib/omniauth/strategies/oauth2.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/omniauth/strategies/oauth2.rb b/lib/omniauth/strategies/oauth2.rb
index 1fa66a3..b911dbe 100644
--- a/lib/omniauth/strategies/oauth2.rb
+++ b/lib/omniauth/strategies/oauth2.rb
@@ -24,6 +24,7 @@ class OAuth2
       option :authorize_options, [:scope]
       option :token_params, {}
       option :token_options, []
+      option :provider_ignores_state, false
 
       attr_accessor :access_token
 
@@ -68,7 +69,7 @@ def callback_phase
         if request.params['error'] || request.params['error_reason']
           raise CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri'])
         end
-        if request.params['state'].to_s.empty? || request.params['state'] != session.delete('omniauth.state')
+        if !options.provider_ignores_state && (request.params['state'].to_s.empty? || request.params['state'] != session.delete('omniauth.state'))
           raise CallbackError.new(nil, :csrf_detected)
         end