Fix: add state= parameter to redirect URI after successful auth

author: Lars Wirzenius <liw@liw.fi> 2018-08-16 12:38:22 +0300
committer: Lars Wirzenius <liw@liw.fi> 2018-08-16 12:38:22 +0300
commit: a2fa0e9ed35da83e4e6a2c4f5282473d132e1497 (patch)
tree: 4a03c0f020421e85f2f147ce7f15160e7b762a83 /yarns/300-end-user-auth.yarn
parent: 371b445213a8d38948b655ce16f5b7ccf9ba6e46 (diff)
download: qvisqve-a2fa0e9ed35da83e4e6a2c4f5282473d132e1497.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/yarns/300-end-user-auth.yarn b/yarns/300-end-user-auth.yarn
index da79b03..98295fb 100644
--- a/yarns/300-end-user-auth.yarn
+++ b/yarns/300-end-user-auth.yarn
@@ -149,6 +149,7 @@ browser see it.
     AND HTTP Location header starts with https://facade/callback?
     AND HTTP Location header is saved as LOCATION
     AND authorization code from LOCATION is saved as CODE
+    AND state from LOCATION is RANDOM
 
 The browser follows the redirect to the facade. The facade extracts
 the authorization code, and uses its own client credentials to
author	Lars Wirzenius <liw@liw.fi>	2018-08-16 12:38:22 +0300
committer	Lars Wirzenius <liw@liw.fi>	2018-08-16 12:38:22 +0300
commit	a2fa0e9ed35da83e4e6a2c4f5282473d132e1497 (patch)
tree	4a03c0f020421e85f2f147ce7f15160e7b762a83 /yarns/300-end-user-auth.yarn
parent	371b445213a8d38948b655ce16f5b7ccf9ba6e46 (diff)
download	qvisqve-a2fa0e9ed35da83e4e6a2c4f5282473d132e1497.tar.gz