From eb0dbf6b79f2b6055adad2f188c18f0633a50c55 Mon Sep 17 00:00:00 2001
From: Aria <me@aria.rip>
Date: Sun, 17 Dec 2023 19:27:36 +0000
Subject: [PATCH] fix oauth consumer mode

the previous code passed a state parameter to ueberauth with info
about where to go after the user logged in, etc.
since ueberauth 0.7, this parameter is ignored and oauth state is used
for actual CSRF reasons.

we now set a cookie with the state we need to keep track of, and read
it once the callback happens.
---
 lib/pleroma/web/o_auth/o_auth_controller.ex | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/lib/pleroma/web/o_auth/o_auth_controller.ex b/lib/pleroma/web/o_auth/o_auth_controller.ex
index ba33dc9e7..29cbd6aa6 100644
--- a/lib/pleroma/web/o_auth/o_auth_controller.ex
+++ b/lib/pleroma/web/o_auth/o_auth_controller.ex
@@ -443,13 +443,10 @@ def prepare_request(%Plug.Conn{} = conn, %{
       |> Map.put("scope", scope)
       |> Jason.encode!()
 
-    params =
-      auth_attrs
-      |> Map.drop(~w(scope scopes client_id redirect_uri))
-      |> Map.put("state", state)
-
     # Handing the request to Ueberauth
-    redirect(conn, to: ~p"/oauth/#{provider}?#{params}")
+    conn
+    |> put_resp_cookie("akkoma_oauth_state", state)
+    |> redirect(to: ~p"/oauth/#{provider}")
   end
 
   def request(%Plug.Conn{} = conn, params) do
@@ -468,7 +465,7 @@ def request(%Plug.Conn{} = conn, params) do
   end
 
   def callback(%Plug.Conn{assigns: %{ueberauth_failure: failure}} = conn, params) do
-    params = callback_params(params)
+    params = callback_params(conn, params)
     messages = for e <- Map.get(failure, :errors, []), do: e.message
     message = Enum.join(messages, "; ")
 
@@ -481,7 +478,7 @@ def callback(%Plug.Conn{assigns: %{ueberauth_failure: failure}} = conn, params)
   end
 
   def callback(%Plug.Conn{} = conn, params) do
-    params = callback_params(params)
+    params = callback_params(conn, params)
 
     with {:ok, registration} <- Authenticator.get_registration(conn) do
       auth_attrs = Map.take(params, ~w(client_id redirect_uri scope scopes state))
@@ -511,8 +508,9 @@ def callback(%Plug.Conn{} = conn, params) do
     end
   end
 
-  defp callback_params(%{"state" => state} = params) do
-    Map.merge(params, Jason.decode!(state))
+  defp callback_params(%Plug.Conn{} = conn, params) do
+    fetch_cookies(conn)
+    Map.merge(params, Jason.decode!(Map.get(conn.req_cookies, "akkoma_oauth_state", "{}")))
   end
 
   def registration_details(%Plug.Conn{} = conn, %{"authorization" => auth_attrs}) do