From 5f876ced20279c7561f1c2227ae9600a1f7ddfc5 Mon Sep 17 00:00:00 2001
From: NGPixel <github@ngpixel.com>
Date: Sun, 29 Jan 2023 17:14:34 -0500
Subject: [PATCH] feat: optional oauth2 module nonce toggle

---
 server/modules/authentication/oauth2/authentication.js | 2 +-
 server/modules/authentication/oauth2/definition.yml    | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/server/modules/authentication/oauth2/authentication.js b/server/modules/authentication/oauth2/authentication.js
index f40fb395..7be57f74 100644
--- a/server/modules/authentication/oauth2/authentication.js
+++ b/server/modules/authentication/oauth2/authentication.js
@@ -19,7 +19,7 @@ module.exports = {
       callbackURL: conf.callbackURL,
       passReqToCallback: true,
       scope: conf.scope,
-      state: true
+      state: conf.enableCSRFProtection
     }, async (req, accessToken, refreshToken, profile, cb) => {
       try {
         const user = await WIKI.models.users.processProfile({
diff --git a/server/modules/authentication/oauth2/definition.yml b/server/modules/authentication/oauth2/definition.yml
index 0621aa39..45c19183 100644
--- a/server/modules/authentication/oauth2/definition.yml
+++ b/server/modules/authentication/oauth2/definition.yml
@@ -70,3 +70,9 @@ props:
     title: Pass access token via GET query string to User Info Endpoint
     hint: (optional) Pass the access token in an `access_token` parameter attached to the GET query string of the User Info Endpoint URL. Otherwise the access token will be passed in the Authorization header.
     order: 11
+  enableCSRFProtection:
+    type: Boolean
+    default: true
+    title: Enable CSRF protection
+    hint: Pass a nonce state parameter during authentication to protect against CSRF attacks.
+    order: 12