From 62fdf88cbdec6dbf248bea13611521667112f5e1 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Mon, 28 Apr 2025 16:23:19 -0600
Subject: feat: generate a nonce to validate the OAuth callback

---
 app/controllers/sessions/controller.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'app/controllers/sessions/controller.go')

diff --git a/app/controllers/sessions/controller.go b/app/controllers/sessions/controller.go
index 7e706e7..7549dc7 100644
--- a/app/controllers/sessions/controller.go
+++ b/app/controllers/sessions/controller.go
@@ -3,9 +3,11 @@ package sessions
 import (
 	"context"
 	"net/http"
+	"time"
 
 	"github.com/xlgmokha/x/pkg/log"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web/cookie"
 	"golang.org/x/oauth2"
 )
@@ -29,8 +31,9 @@ func (c *Controller) MountTo(mux *http.ServeMux) {
 }
 
 func (c *Controller) New(w http.ResponseWriter, r *http.Request) {
-	// TODO:: Generate and store nonce and use as state param to compare as a CSRF token
-	url := c.cfg.Config.AuthCodeURL("todo-csrf-token", oauth2.SetAuthURLParam("audience", "todo"))
+	nonce := pls.GenerateNonce(32)
+	url := c.cfg.Config.AuthCodeURL(nonce, oauth2.SetAuthURLParam("audience", c.cfg.Config.ClientID))
+	http.SetCookie(w, cookie.New("oauth_state", nonce, time.Now().Add(10*time.Minute)))
 	http.Redirect(w, r, url, http.StatusFound)
 }
 
-- 
cgit v1.2.3