From cef99620a1463c19882e9ec63841f5e83fd56941 Mon Sep 17 00:00:00 2001
From: babayotakun <babayotakun@gmail.com>
Date: Mon, 19 Apr 2021 19:39:45 +0300
Subject: [PATCH] Allow to disable CSRF check during the oauth login. (#38)

* Ignore CSRF check.

* Ignore CSRF check as a plugin setting.

Co-authored-by: Kalach, Dmitry <d.kalach@itransition.com>
---
 config/locales/server.en.yml | 1 +
 config/locales/server.ru.yml | 1 +
 config/settings.yml          | 2 ++
 plugin.rb                    | 2 +-
 4 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index dbfbfb1..55e0b1f 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -30,6 +30,7 @@ en:
     oauth2_scope: "When authorizing request this scope"
     oauth2_button_title: "The text for the OAuth2 button"
     oauth2_allow_association_change: Allow users to disconnect and reconnect their Discourse accounts from the OAuth2 provider
+    oauth2_disable_csrf: "Disable CSRF check"
 
     errors:
       oauth2_fetch_user_details: "oauth2_callback_user_id_path must be present to disable oauth2_fetch_user_details"
diff --git a/config/locales/server.ru.yml b/config/locales/server.ru.yml
index 7df70b8..72f64cc 100644
--- a/config/locales/server.ru.yml
+++ b/config/locales/server.ru.yml
@@ -35,5 +35,6 @@ ru:
     oauth2_scope: "При авторизации запрашивать эту область"
     oauth2_button_title: "Текст для кнопки 'OAuth2'"
     oauth2_allow_association_change: Разрешить пользователям отключать и повторно подключать свои учётные записи Discourse от поставщика OAuth2
+    oauth2_disable_csrf: "Отключить проверку CSRF"
     errors:
       oauth2_fetch_user_details: "Для отключения 'oauth2_fetch_user_details' должен быть настроен параметр 'oauth2_callback_user_id_path'"
diff --git a/config/settings.yml b/config/settings.yml
index 7903986..ab373e7 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -47,3 +47,5 @@ login:
     client: true
   oauth2_allow_association_change:
     default: false
+  oauth2_disable_csrf:
+    default: false
diff --git a/plugin.rb b/plugin.rb
index 8e7d377..fd4e56c 100644
--- a/plugin.rb
+++ b/plugin.rb
@@ -91,7 +91,7 @@ class ::OAuth2BasicAuthenticator < Auth::ManagedAuthenticator
                         opts = env['omniauth.strategy'].options
                         opts[:client_id] = SiteSetting.oauth2_client_id
                         opts[:client_secret] = SiteSetting.oauth2_client_secret
-                        opts[:provider_ignores_state] = false
+                        opts[:provider_ignores_state] = SiteSetting.oauth2_disable_csrf
                         opts[:client_options] = {
                           authorize_url: SiteSetting.oauth2_authorize_url,
                           token_url: SiteSetting.oauth2_token_url,