Add ability to set state (#20)

Adds ability to set an extra param to vk. It improves security.
ueberauth · Nov 7, 2017 · 0a5f645 · 0a5f645
1 parent 95a169d
commit 0a5f645
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 8 deletions.
diff --git a/lib/ueberauth/strategy/vk.ex b/lib/ueberauth/strategy/vk.ex
@@ -5,11 +5,13 @@ defmodule Ueberauth.Strategy.VK do
 
  use Ueberauth.Strategy, default_scope: "",
  default_display: "page",
+ default_state: "",
  profile_fields: "",
  uid_field: :uid,
  allowed_request_params: [
  :display,
- :scope
+ :scope,
+ :state
  ]
 
  alias OAuth2.{Response, Error, Client}
@@ -30,6 +32,7 @@ defmodule Ueberauth.Strategy.VK do
  |> maybe_replace_param(conn, "auth_type", :auth_type)
  |> maybe_replace_param(conn, "scope", :default_scope)
  |> maybe_replace_param(conn, "display", :default_display)
+ |> maybe_replace_param(conn, "state", :default_state)
  |> Enum.filter(fn {k, _} -> Enum.member?(allowed_params, k) end)
  |> Enum.map(fn {k, v} -> {String.to_existing_atom(k), v} end)
  |> Keyword.put(:redirect_uri, callback_url(conn))
@@ -41,7 +44,7 @@ defmodule Ueberauth.Strategy.VK do
  @doc """
  Handles the callback from VK.
  """
- def handle_callback!(%Plug.Conn{params: %{"code" => code}} = conn) do
+ def handle_callback!(%Plug.Conn{params: %{"code" => code, "state" => state}} = conn) do
  opts = [redirect_uri: callback_url(conn)]
  client = OAuth.get_token!([code: code], opts)
  token = client.token
@@ -51,7 +54,7 @@ defmodule Ueberauth.Strategy.VK do
  desc = token.other_params["error_description"]
  set_errors!(conn, [error(err, desc)])
  else
- fetch_user(conn, client)
+ fetch_user(conn, client, state)
  end
  end
 
@@ -146,8 +149,10 @@ defmodule Ueberauth.Strategy.VK do
  end
  end
 
- defp fetch_user(conn, client) do
- conn = put_private(conn, :vk_token, client.token)
+ defp fetch_user(conn, client, state) do
+ conn = conn
+ |> put_private(:vk_token, client.token)
+ |> put_private(:vk_state, state)
  path = user_query(conn)
 
  case Client.get(client, path) do

diff --git a/test/fixtures/cassettes/httpoison_get.json b/test/fixtures/cassettes/httpoison_get.json
@@ -1,7 +1,7 @@
 [
  {
  "request": {
- "body": "client_id=appid&client_secret=secret&code=code_abc&grant_type=authorization_code&redirect_uri=http%3A%2F%2Fwww.example.com%2Fauth%2Fvk%2Fcallback",
+ "body": "client_id=appid&client_secret=secret&code=code_abc&grant_type=authorization_code&redirect_uri=http%3A%2F%2Fwww.example.com%2Fauth%2Fvk%2Fcallback&state=abc",
  "headers": {
  "Accept": "application/x-www-form-urlencoded",
  "Content-Type": "application/x-www-form-urlencoded"

diff --git a/test/fixtures/vk_response.html b/test/fixtures/vk_response.html
@@ -1 +1 @@
-<html><body>You are being <a href="https://oauth.vk.com/authorize?client_id=appid&amp;display=page&amp;redirect_uri=http%3A%2F%2Fwww.example.com%2Fauth%2Fvk%2Fcallback&amp;response_type=code&amp;scope=">redirected</a>.</body></html>
+<html><body>You are being <a href="https://oauth.vk.com/authorize?client_id=appid&amp;display=page&amp;redirect_uri=http%3A%2F%2Fwww.example.com%2Fauth%2Fvk%2Fcallback&amp;response_type=code&amp;scope=&amp;state=">redirected</a>.</body></html>
diff --git a/test/ueberauth/strategy/vk_test.exs b/test/ueberauth/strategy/vk_test.exs
@@ -56,7 +56,7 @@ defmodule Ueberauth.Strategy.VKTest do
  end
 
  test "default callback phase" do
- query = %{code: "code_abc"} |> URI.encode_query
+ query = %{code: "code_abc", state: "abc"} |> URI.encode_query
 
  use_cassette "httpoison_get" do
  conn =