Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-06 22:40:14 -05:00
Code Issues Activity

Encoded the mode in the Stripe Connect OAuth state

Browse source 
no-issue

The service at stripe.ghost.org must know which client_secret to use,
either the test, or live one. By encoding a JSON object as the state we
are able to pass data through the flow to inform this decision at the
end.

Note, that we still keep a random value in the state to protect against
CSRF attacks.
This commit is contained in:
Fabien O'Carroll 2020-06-10 13:31:03 +02:00 committed by Fabien 'egg' O'Carroll
parent 33d1148cff
commit 5f808dfbee
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
core/server/services/members/stripe-connect.js
View file

@ -18,7 +18,11 @@ const redirectURI = 'https://stripe.ghost.org';
* @returns {Promise<URL>}
*/
async function getStripeConnectOAuthUrl(setSessionProp, mode = 'live') {
const state = randomBytes(16).toString('hex');
const randomState = randomBytes(16).toString('hex');
const state = Buffer.from(JSON.stringify({
mode,
randomState
})).toString('base64');
await setSessionProp(STATE_PROP, state);