From 4996165a8453f2d6470de2f3fe41a2847916f1d3 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Wed, 17 May 2017 15:24:43 -0400
Subject: [PATCH] SECURITY: Always validate `state` parameter

---
 config/locales/server.en.yml | 1 -
 config/settings.yml          | 1 -
 plugin.rb                    | 2 +-
 3 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index eb9096d..cc84e99 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -14,5 +14,4 @@ en:
     oauth2_send_auth_header: "Send the token as an HTTP Authorization header"
     oauth2_debug_auth: "Include rich debugging information in your logs"
     oauth2_authorize_options: "When authorizing request these options"
-    oauth2_ignore_state: "Don't validate the state parameter. This will be removed shortly!"
 
diff --git a/config/settings.yml b/config/settings.yml
index 644caaf..1a73d22 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -14,7 +14,6 @@ login:
   oauth2_email_verified: false
   oauth2_send_auth_header: true
   oauth2_debug_auth: false
-  oauth2_ignore_state: true
   oauth2_authorize_options:
     default: 'scope'
     type: list
diff --git a/plugin.rb b/plugin.rb
index 9166d5f..d63dd85 100644
--- a/plugin.rb
+++ b/plugin.rb
@@ -29,7 +29,7 @@ class OAuth2BasicAuthenticator < ::Auth::OAuth2Authenticator
                         opts = env['omniauth.strategy'].options
                         opts[:client_id] = SiteSetting.oauth2_client_id
                         opts[:client_secret] = SiteSetting.oauth2_client_secret
-                        opts[:provider_ignores_state] = SiteSetting.oauth2_ignore_state
+                        opts[:provider_ignores_state] = false
                         opts[:client_options] = {
                           authorize_url: SiteSetting.oauth2_authorize_url,
                           token_url: SiteSetting.oauth2_token_url