-
-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Purpose of session_params
foi APIs
#210
Comments
Just to be clearer, I'm talking specifically about the For example, the API When calling the API post |
Doing some more research, I found where the defp maybe_check_state(%{state: stored_state}, %{"state" => provided_state}) do
case Assent.constant_time_compare(stored_state, provided_state) do
true -> :ok
false -> {:error, CallbackCSRFError.new("state")}
end
end
defp maybe_check_state(%{state: _state}, params) do
{:error, MissingParamError.new("state", params)}
end
defp maybe_check_state(_session_params, _params), do: :ok But now this make even less sense, inside the params = Map.drop(params, ["provider", "session_params"]) This will remove the defp maybe_set_session_params_config(config, %{private: %{pow_assent_session_params: params}}), do: Config.put(config, :session_params, params)
defp maybe_set_session_params_config(config, _conn), do: config later the So, in the end, This means that, unless I'm missing something, it is impossible to |
Hello,
Looking at
pow_assent
documentation and source code, it's not clear to me what is the objective of thesession_params
config, why it is stored in the connection, etc.I'm using the
google
strategy with the API guide, but if, for example, I change the returnedsession_params
for something else before calling thecallback
endpoint, I still receive theaccess_token
andrenew_token
without any issue and everything seems to work ok.This makes me wonder what is the real objective behind creating and store this value if it doesn´t seem to be verified or used anywhere (at least I didn't found any place looking at the code).
Maybe this is something only relevant when using it with web applications instead of mobile ones (where I only access the backend via my API)? If that is the case, is it safe to ignore it entirely?
The text was updated successfully, but these errors were encountered: