From 5f808dfbee93b545889577504024c0288cedb84c Mon Sep 17 00:00:00 2001 From: Fabien O'Carroll Date: Wed, 10 Jun 2020 13:31:03 +0200 Subject: [PATCH] Encoded the mode in the Stripe Connect OAuth state no-issue The service at stripe.ghost.org must know which client_secret to use, either the test, or live one. By encoding a JSON object as the state we are able to pass data through the flow to inform this decision at the end. Note, that we still keep a random value in the state to protect against CSRF attacks. --- core/server/services/members/stripe-connect.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/core/server/services/members/stripe-connect.js b/core/server/services/members/stripe-connect.js index 540f5db4dd..ab9545a9a7 100644 --- a/core/server/services/members/stripe-connect.js +++ b/core/server/services/members/stripe-connect.js @@ -18,7 +18,11 @@ const redirectURI = 'https://stripe.ghost.org'; * @returns {Promise} */ async function getStripeConnectOAuthUrl(setSessionProp, mode = 'live') { - const state = randomBytes(16).toString('hex'); + const randomState = randomBytes(16).toString('hex'); + const state = Buffer.from(JSON.stringify({ + mode, + randomState + })).toString('base64'); await setSessionProp(STATE_PROP, state);