From eb0dbf6b79f2b6055adad2f188c18f0633a50c55 Mon Sep 17 00:00:00 2001
From: Aria <me@aria.rip>
Date: Sun, 17 Dec 2023 19:27:36 +0000
Subject: [PATCH] fix oauth consumer mode

the previous code passed a state parameter to ueberauth with info
about where to go after the user logged in, etc.
since ueberauth 0.7, this parameter is ignored and oauth state is used
for actual CSRF reasons.

we now set a cookie with the state we need to keep track of, and read
it once the callback happens.
---
 lib/pleroma/web/o_auth/o_auth_controller.ex | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/lib/pleroma/web/o_auth/o_auth_controller.ex b/lib/pleroma/web/o_auth/o_auth_controller.ex
index ba33dc9e7..29cbd6aa6 100644
--- a/lib/pleroma/web/o_auth/o_auth_controller.ex
+++ b/lib/pleroma/web/o_auth/o_auth_controller.ex
@@ -443,13 +443,10 @@ defmodule Pleroma.Web.OAuth.OAuthController do
       |> Map.put("scope", scope)
       |> Jason.encode!()
 
-    params =
-      auth_attrs
-      |> Map.drop(~w(scope scopes client_id redirect_uri))
-      |> Map.put("state", state)
-
     # Handing the request to Ueberauth
-    redirect(conn, to: ~p"/oauth/#{provider}?#{params}")
+    conn
+    |> put_resp_cookie("akkoma_oauth_state", state)
+    |> redirect(to: ~p"/oauth/#{provider}")
   end
 
   def request(%Plug.Conn{} = conn, params) do
@@ -468,7 +465,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
   end
 
   def callback(%Plug.Conn{assigns: %{ueberauth_failure: failure}} = conn, params) do
-    params = callback_params(params)
+    params = callback_params(conn, params)
     messages = for e <- Map.get(failure, :errors, []), do: e.message
     message = Enum.join(messages, "; ")
 
@@ -481,7 +478,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
   end
 
   def callback(%Plug.Conn{} = conn, params) do
-    params = callback_params(params)
+    params = callback_params(conn, params)
 
     with {:ok, registration} <- Authenticator.get_registration(conn) do
       auth_attrs = Map.take(params, ~w(client_id redirect_uri scope scopes state))
@@ -511,8 +508,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do
     end
   end
 
-  defp callback_params(%{"state" => state} = params) do
-    Map.merge(params, Jason.decode!(state))
+  defp callback_params(%Plug.Conn{} = conn, params) do
+    fetch_cookies(conn)
+    Map.merge(params, Jason.decode!(Map.get(conn.req_cookies, "akkoma_oauth_state", "{}")))
   end
 
   def registration_details(%Plug.Conn{} = conn, %{"authorization" => auth_attrs}) do