Fix 'state' usage and validation

ArtyomVancyan · ArtyomVancyan · commit f8b84e818549 · 2023-06-22T13:09:13.000+04:00
diff --git a/fastapi_oauth2/base.py b/fastapi_oauth2/base.py
@@ -9,10 +9,6 @@
 from starlette.responses import RedirectResponse
 
 
-class UnsetStateWarning(UserWarning):
-    """Warning about unset state parameter"""
-
-
 class SSOLoginError(HTTPException):
     """Raised when any login-related error occurs
     (such as when user is not verified or if there was an attempt for fake login)
@@ -78,6 +74,7 @@ async def get_login_url(
             params: Optional[Dict[str, Any]] = None,
             state: Optional[str] = None,
     ) -> Any:
+        self.state = state
         params = params or {}
         redirect_uri = redirect_uri or self.redirect_uri
         if redirect_uri is None:
@@ -108,7 +105,8 @@ async def verify_and_process(
         code = request.query_params.get("code")
         if code is None:
             raise SSOLoginError(400, "'code' parameter was not found in callback request")
-        self.state = request.query_params.get("state")
+        if self.state != request.query_params.get("state"):
+            raise SSOLoginError(400, "'state' parameter does not match")
         return await self.process_login(
             code, request, params=params, additional_headers=headers, redirect_uri=redirect_uri
         )
