From ec91ef1c644044bba44198b031913655e784b4bb Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Tue, 5 Jun 2018 16:01:32 -0400
Subject: [PATCH] closes #6553

---
 src/routes/authentication.js | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/routes/authentication.js b/src/routes/authentication.js
index fff3c997fb..986cc31ed7 100644
--- a/src/routes/authentication.js
+++ b/src/routes/authentication.js
@@ -60,13 +60,20 @@ Auth.reloadRoutes = function (callback) {
 		function (loginStrategies, next) {
 			loginStrategies.forEach(function (strategy) {
 				if (strategy.url) {
-					router.get(strategy.url, passport.authenticate(strategy.name, {
-						scope: strategy.scope,
-						prompt: strategy.prompt || undefined,
-					}));
+					router.get(strategy.url, Auth.middleware.applyCSRF, function (req, res, next) {
+						req.session.ssoState = req.csrfToken();
+						passport.authenticate(strategy.name, {
+							scope: strategy.scope,
+							prompt: strategy.prompt || undefined,
+							state: req.session.ssoState,
+						})(req, res, next);
+					});
 				}
 
 				router.get(strategy.callbackURL, function (req, res, next) {
+					// Ensure the passed-back state value is identical to the saved ssoState
+					next(req.query.state !== req.session.ssoState ? new Error('[[error:csrf-invalid]]') : null);
+				}, function (req, res, next) {
 					// Trigger registration interstitial checks
 					req.session.registration = req.session.registration || {};
 					next();