martini-contrib/oauth2 is unsafe and vulnerable to csrf

[jtolio]

the oauth2 "state" field, the first argument of AuthCodeURL, is supposed to be a CSRF token - a completely unguessable random string of bytes. further, on the callback, the oauth2 service will return the provided state and negroni-oauth2 should be checking it for equality

it's certainly clever that the next url is being passed in as the state field, but it's insecure. both the expected state and the next url should be kept in the session

http://tools.ietf.org/html/rfc6749#section-10.12

it may be safe to include additional information inside the state field besides a csrf token (e.g. the next url field), but any benefit from that is possibly negated by having to store the expected csrf token somewhere

check out https://github.com/jtolds/go-oauth2http

[rakyll]

We should allow user to set a random token before generation. state could be a complex object including a next key but should indeed have a well generated random field.