feat: add state parameter to OAuth strategies for enhanced security (#1902)

Yukaii · web-flow · commit 6dd3d9253e7a · 2025-05-15T14:00:53.000+08:00
diff --git a/lib/auth/bitbucket/index.js b/lib/auth/bitbucket/index.js
@@ -11,7 +11,8 @@ const bitbucketAuth = module.exports = Router()
 passport.use(new BitbucketStrategy({
   clientID: config.bitbucket.clientID,
   clientSecret: config.bitbucket.clientSecret,
-  callbackURL: config.serverURL + '/auth/bitbucket/callback'
+  callbackURL: config.serverURL + '/auth/bitbucket/callback',
+  state: true
 }, passportGeneralCallback))
 
 bitbucketAuth.get('/auth/bitbucket', function (req, res, next) {
diff --git a/lib/auth/dropbox/index.js b/lib/auth/dropbox/index.js
@@ -12,7 +12,8 @@ passport.use(new DropboxStrategy({
   apiVersion: '2',
   clientID: config.dropbox.clientID,
   clientSecret: config.dropbox.clientSecret,
-  callbackURL: config.serverURL + '/auth/dropbox/callback'
+  callbackURL: config.serverURL + '/auth/dropbox/callback',
+  state: true
 }, passportGeneralCallback))
 
 dropboxAuth.get('/auth/dropbox', function (req, res, next) {
diff --git a/lib/auth/facebook/index.js b/lib/auth/facebook/index.js
@@ -12,7 +12,8 @@ const facebookAuth = module.exports = Router()
 passport.use(new FacebookStrategy({
   clientID: config.facebook.clientID,
   clientSecret: config.facebook.clientSecret,
-  callbackURL: config.serverURL + '/auth/facebook/callback'
+  callbackURL: config.serverURL + '/auth/facebook/callback',
+  state: true
 }, passportGeneralCallback))
 
 facebookAuth.get('/auth/facebook', function (req, res, next) {
diff --git a/lib/auth/github/index.js b/lib/auth/github/index.js
@@ -26,7 +26,8 @@ passport.use(new GithubStrategy({
   callbackURL: config.serverURL + '/auth/github/callback',
   authorizationURL: githubUrl('login/oauth/authorize'),
   tokenURL: githubUrl('login/oauth/access_token'),
-  userProfileURL: githubUrl('api/v3/user')
+  userProfileURL: githubUrl('api/v3/user'),
+  state: true
 }, async (accessToken, refreshToken, profile, done) => {
   if (!config.github.organizations) {
     return passportGeneralCallback(accessToken, refreshToken, profile, done)
diff --git a/lib/auth/gitlab/index.js b/lib/auth/gitlab/index.js
@@ -15,7 +15,8 @@ const gitlabAuthStrategy = new GitlabStrategy({
   clientID: config.gitlab.clientID,
   clientSecret: config.gitlab.clientSecret,
   scope: config.gitlab.scope,
-  callbackURL: config.serverURL + '/auth/gitlab/callback'
+  callbackURL: config.serverURL + '/auth/gitlab/callback',
+  state: true
 }, passportGeneralCallback)
 
 if (process.env.https_proxy) {
diff --git a/lib/auth/google/index.js b/lib/auth/google/index.js
@@ -12,7 +12,8 @@ passport.use(new GoogleStrategy({
   clientID: config.google.clientID,
   clientSecret: config.google.clientSecret,
   callbackURL: config.serverURL + '/auth/google/callback',
-  userProfileURL: 'https://www.googleapis.com/oauth2/v3/userinfo'
+  userProfileURL: 'https://www.googleapis.com/oauth2/v3/userinfo',
+  state: true
 }, passportGeneralCallback))
 
 googleAuth.get('/auth/google', function (req, res, next) {
diff --git a/lib/auth/twitter/index.js b/lib/auth/twitter/index.js
@@ -12,7 +12,8 @@ const twitterAuth = module.exports = Router()
 passport.use(new TwitterStrategy({
   consumerKey: config.twitter.consumerKey,
   consumerSecret: config.twitter.consumerSecret,
-  callbackURL: config.serverURL + '/auth/twitter/callback'
+  callbackURL: config.serverURL + '/auth/twitter/callback',
+  state: true
 }, passportGeneralCallback))
 
 twitterAuth.get('/auth/twitter', function (req, res, next) {
