Potential fix for code scanning alert no. 7: CSRF protection weakened or disabled

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Robert Smith <[email protected]>

Author: rsmithlal

app/controllers/better_together/omniauth_callbacks_controller.rb

@@ -3,10 +3,11 @@
 module BetterTogether
   class OmniauthCallbacksController < Devise::OmniauthCallbacksController # rubocop:todo Style/Documentation
     # See https://github.com/omniauth/omniauth/wiki/FAQ#rails-session-is-clobbered-after-callback-on-developer-strategy
-    skip_before_action :verify_authenticity_token, only: %i[github]
+    before_action :verify_oauth_state, only: %i[github]
 
     before_action :set_person_platform_integration, except: [:failure]
     before_action :set_user, except: [:failure]
+    before_action :generate_oauth_state, only: %i[github]
 
     attr_reader :person_platform_integration, :user
 
@@ -16,6 +17,13 @@ def github
 
     private
 
+    def verify_oauth_state
+      if params[:state] != session[:oauth_state]
+        flash[:alert] = 'Invalid OAuth state parameter'
+        redirect_to new_user_registration_path
+      end
+    end
+
     def handle_auth(kind) # rubocop:todo Metrics/AbcSize
       if user.present?
         flash[:success] = t 'devise_omniauth_callbacks.success', kind: kind if is_navigational_format?
@@ -44,6 +52,10 @@ def set_user
       )
     end
 
+    def generate_oauth_state
+      session[:oauth_state] = SecureRandom.hex(24)
+    end
+
     def failure
       flash[:error] = 'There was a problem signing you in. Please register or try signing in later.'
       redirect_to helpers.base_url