From 2b9322e1c228a6732273e20be4cef3e39229709a Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Fri, 18 Jan 2019 16:14:34 -0500 Subject: [PATCH] feat: additional options for SSO plugins +checkState property, pass Boolean false to skip nonce checking +callbackMethod, default 'get', you can pass in 'post', etc. --- src/routes/authentication.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/routes/authentication.js b/src/routes/authentication.js index 5f300bc397..81af7fe550 100644 --- a/src/routes/authentication.js +++ b/src/routes/authentication.js @@ -74,8 +74,12 @@ Auth.reloadRoutes = function (router, callback) { }); } - router.get(strategy.callbackURL, function (req, res, next) { - // Ensure the passed-back state value is identical to the saved ssoState + router[strategy.callbackMethod || 'get'](strategy.callbackURL, function (req, res, next) { + // Ensure the passed-back state value is identical to the saved ssoState (unless explicitly skipped) + if (strategy.checkState === false) { + return next(); + } + next(req.query.state !== req.session.ssoState ? new Error('[[error:csrf-invalid]]') : null); }, function (req, res, next) { // Trigger registration interstitial checks