Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

'state' parameter has to be at the end of the auth URL, last element in $options array #4

Open
CaffeineLab opened this issue Mar 22, 2024 · 0 comments
Open

'state' parameter has to be at the end of the auth URL, last element in $options array #4

CaffeineLab opened this issue Mar 22, 2024 · 0 comments

Comments

@CaffeineLab
Copy link

I hacked a quick fix, but there may be a better way.

I had to move the state parameter to the end of the authurl in order for it to return a token and not fail when checking against the session saved state. The following line was failing:

// Check given state against previously stored one to mitigate CSRF attack
} elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {

In the base League code: AbstractProvider.getAuthorizationParameters()
my solution was to just rebuild the options array in the right order:

    if (isset($options['state'])) {
        $v = $options['state'];
        unset($options['state']);
        $options['state'] = $v;
    }

and then things came together.
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@CaffeineLab