Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Use state to mitigate CSRF #612
I have a question, why omniauth doesn't provide 'state' param to prevent CSRF? For example facebook supports it and returns it back to make sure you are who started auth process. There should be 2 params: code and state. Now it's only code. And it is vulnerable. Should I add one?
nice one, for me :)
About solution — the only thing I fear is some dumb providers that just wouldn't pass back that state param. But if it's rare and code really works (I didn't have a chance to test it with the real OAuth providers, that's why I asked for your help), we can create pull request for it.