Commit 9eadd96c authored by Eric Eastwood's avatar Eric Eastwood

Fix GitLab OAuth CSRF (state query parameter)

Part of gitlab-org/gitter/webapp#2074
parent a7a1c49f
......@@ -21196,9 +21196,9 @@
}
},
"passport-gitlab2": {
"version": "4.0.0",
"resolved": "https://registry.npmjs.org/passport-gitlab2/-/passport-gitlab2-4.0.0.tgz",
"integrity": "sha512-C/8/L8piHwv57J6fY/MzsEJc8yCkgsyBSzMWxfTfEHRvCaTkD08vJ5b/txydKrWrRPl4MHuZfisFnKlZHmq4yw==",
"version": "5.0.0",
"resolved": "https://registry.npmjs.org/passport-gitlab2/-/passport-gitlab2-5.0.0.tgz",
"integrity": "sha512-cXQMgM6JQx9wHVh7JLH30D8fplfwjsDwRz+zS0pqC8JS+4bNmc1J04NGp5g2M4yfwylH9kQRrMN98GxMw7q7cg==",
"requires": {
"passport-oauth2": "^1.4.0"
}
......
......@@ -44,6 +44,10 @@ var gitlabStrategy = new GitLabStrategy(
clientID: config.get('gitlaboauth:client_id'),
clientSecret: config.get('gitlaboauth:client_secret'),
callbackURL: callbackUrlBuilder('gitlab'),
// Prevent CSRF by adding a state query parameter through the OAuth flow that is connected to the users session.
// These options come from the `require('passport-oauth2').Strategy`,
// https://github.com/jaredhanson/passport-oauth2/blob/master/lib/strategy.js
state: true,
passReqToCallback: true,
scope: ['read_user', 'api'],
scopeSeparator: ' '
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment