Have Quay always use an OAuth-specific CSRF token

This change ensures that we always store and then check the contents of the OAuth `state` argument against a session-stored CSRF token.

Fixes https://www.pivotaltracker.com/story/show/135803615
This commit is contained in:
Joseph Schorr 2016-12-08 16:11:57 -05:00
parent 34f2ddce87
commit ff52fde8a5
8 changed files with 72 additions and 48 deletions

View file

@ -215,7 +215,8 @@ quayApp.config(['$routeProvider', '$locationProvider', 'pages', function($routeP
// 404/403
.route('/:catchall', 'error-view')
.route('/:catch/:all', 'error-view')
.route('/:catch/:all/:things', 'error-view');
.route('/:catch/:all/:things', 'error-view')
.route('/:catch/:all/:things/:here', 'error-view');
}]);
// Configure compile provider to add additional URL prefixes to the sanitization list. We use