From 358f19681073e87c07bfc1beada0159ad947f289 Mon Sep 17 00:00:00 2001 From: David Pedersen Date: Sat, 13 Jan 2024 15:37:03 +0100 Subject: [PATCH] Add note about missing CSRF validation in oauth example (#2512) --- examples/oauth/src/main.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/examples/oauth/src/main.rs b/examples/oauth/src/main.rs index 6ceffe8f84..659ce2619c 100644 --- a/examples/oauth/src/main.rs +++ b/examples/oauth/src/main.rs @@ -143,6 +143,11 @@ async fn index(user: Option) -> impl IntoResponse { } async fn discord_auth(State(client): State) -> impl IntoResponse { + // TODO: this example currently doesn't validate the CSRF token during login attempts. That + // makes it vulnerable to cross-site request forgery. If you copy code from this example make + // sure to add a check for the CSRF token. + // + // Issue for adding check to this example https://github.com/tokio-rs/axum/issues/2511 let (auth_url, _csrf_token) = client .authorize_url(CsrfToken::new_random) .add_scope(Scope::new("identify".to_string()))