GH-22: Handle non-matching 'state' parameter case

ArtyomVancyan · ArtyomVancyan · commit 0df07c131a05 · 2023-09-11T21:21:04.000+04:00
diff --git a/src/fastapi_oauth2/core.py b/src/fastapi_oauth2/core.py
@@ -56,6 +56,7 @@ class OAuth2Core:
     _oauth_client: Optional[WebApplicationClient] = None
     _authorization_endpoint: str = None
     _token_endpoint: str = None
+    _state: str = None
 
     def __init__(self, client: OAuth2Client) -> None:
         self.client_id = client.client_id
@@ -83,6 +84,8 @@ def authorization_url(self, request: Request) -> str:
         oauth2_query_params = dict(state=state, scope=self.scope, redirect_uri=redirect_uri)
         oauth2_query_params.update(request.query_params)
 
+        self._state = oauth2_query_params.get("state")
+
         return str(self._oauth_client.prepare_request_uri(
             self._authorization_endpoint,
             **oauth2_query_params,
@@ -96,6 +99,8 @@ async def token_data(self, request: Request, **httpx_client_args) -> dict:
             raise OAuth2LoginError(400, "'code' parameter was not found in callback request")
         if not request.query_params.get("state"):
             raise OAuth2LoginError(400, "'state' parameter was not found in callback request")
+        if request.query_params.get("state") != self._state:
+            raise OAuth2LoginError(400, "'state' parameter does not match")
 
         redirect_uri = self.get_redirect_uri(request)
         scheme = "http" if request.auth.http else "https"
