New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
State parameter on the recieveRedirect of theOAauth2Authorizer class breaks sign ins? #213
Comments
I've never tried 2FA authorization. |
The problem though is still there with all my non-2FA accounts. Is there a reason why you're checking state in this function? Reddit seems to be handing a state value back now on oauth login while the app is expecting there to be none. |
I'm so sorry, I don't remember the details......
|
Yeah that's what I patched on my fork. ezhes@d1bfb91 As I understand it state is the CSRF token but I'm not entirely sure how we're getting away with not saving it. Are we not required to use CSRF tokens since we're authorizing as an app and not using the standard reddit interface? |
I got it. |
I've submitted a pull. I've fixed this on my branch so I think this can be closed just fine. |
So I'm not entirely sure when this issue came up but it hit me recently. When the
receiveRedirect(_ url...
function gets the callback I'm sending from the AppDelegate, Reddift silently ignores the request because of this check:&& state == currentState
I've removed it, seemingly to no maleffect, and am able to sign in properly again. I can't seem to nail down the cause since the state data is sent with every account, not just my 2FA main account. I also can't say for sure when this changed since it only affects newly authorized accounts, not token refreshes.
The text was updated successfully, but these errors were encountered: