You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
def generate_state(self):
"""
Generates a state which is required during the OAuth sign-in process
"""
return jwt.encode(
request.args.to_dict(flat=False),
self.appbuilder.app.config["SECRET_KEY"],
algorithm="HS256",
)
It generates 'static' values for all sessions, meaning if you got one you will know values for all sessions for a server.
It seems the intention for this 'state' parameter is to be a CRSF protection, so it should be random.
The text was updated successfully, but these errors were encountered:
Hello,
there is this generate_state method in oauth.py:
It generates 'static' values for all sessions, meaning if you got one you will know values for all sessions for a server.
It seems the intention for this 'state' parameter is to be a CRSF protection, so it should be random.
The text was updated successfully, but these errors were encountered: