Allow to disable CSRF check during the oauth login. (#38)

* Ignore CSRF check.

* Ignore CSRF check as a plugin setting.

Co-authored-by: Kalach, Dmitry <d.kalach@itransition.com>

config/locales/server.en.yml

@@ -30,6 +30,7 @@ en:
     oauth2_scope: "When authorizing request this scope"
     oauth2_button_title: "The text for the OAuth2 button"
     oauth2_allow_association_change: Allow users to disconnect and reconnect their Discourse accounts from the OAuth2 provider
+    oauth2_disable_csrf: "Disable CSRF check"
 
     errors:
       oauth2_fetch_user_details: "oauth2_callback_user_id_path must be present to disable oauth2_fetch_user_details"

config/locales/server.ru.yml

@@ -35,5 +35,6 @@ ru:
     oauth2_scope: "При авторизации запрашивать эту область"
     oauth2_button_title: "Текст для кнопки 'OAuth2'"
     oauth2_allow_association_change: Разрешить пользователям отключать и повторно подключать свои учётные записи Discourse от поставщика OAuth2
+    oauth2_disable_csrf: "Отключить проверку CSRF"
     errors:
       oauth2_fetch_user_details: "Для отключения 'oauth2_fetch_user_details' должен быть настроен параметр 'oauth2_callback_user_id_path'"

config/settings.yml

@@ -47,3 +47,5 @@ login:
     client: true
   oauth2_allow_association_change:
     default: false
+  oauth2_disable_csrf:
+    default: false

plugin.rb

@@ -91,7 +91,7 @@ class ::OAuth2BasicAuthenticator < Auth::ManagedAuthenticator
                         opts = env['omniauth.strategy'].options
                         opts[:client_id] = SiteSetting.oauth2_client_id
                         opts[:client_secret] = SiteSetting.oauth2_client_secret
-                        opts[:provider_ignores_state] = false
+                        opts[:provider_ignores_state] = SiteSetting.oauth2_disable_csrf
                         opts[:client_options] = {
                           authorize_url: SiteSetting.oauth2_authorize_url,
                           token_url: SiteSetting.oauth2_token_url,