Have Quay always use an OAuth-specific CSRF token

This change ensures that we always store and then check the contents of the OAuth `state` argument against a session-stored CSRF token.

Fixes https://www.pivotaltracker.com/story/show/135803615

static/js/directives/ui/external-login-button.js

@@ -21,19 +21,21 @@ angular.module('quay').directive('externalLoginButton', function () {
 
       $scope.startSignin = function() {
         $scope.signInStarted({'service': $scope.provider});
+        ApiService.generateExternalLoginToken().then(function(data) {
+          var url = ExternalLoginService.getLoginUrl($scope.provider, $scope.action || 'login');
+          url = url + '&state=' + encodeURIComponent(data['token']);
 
-        var url = ExternalLoginService.getLoginUrl($scope.provider, $scope.action || 'login');
+          // Save the redirect URL in a cookie so that we can redirect back after the service returns to us.
+          var redirectURL = $scope.redirectUrl || window.location.toString();
+          CookieService.putPermanent('quay.redirectAfterLoad', redirectURL);
 
-        // Save the redirect URL in a cookie so that we can redirect back after the service returns to us.
-        var redirectURL = $scope.redirectUrl || window.location.toString();
-        CookieService.putPermanent('quay.redirectAfterLoad', redirectURL);
-
-        // Needed to ensure that UI work done by the started callback is finished before the location
-        // changes.
-        $scope.signingIn = true;
-        $timeout(function() {
-          document.location = url;
-        }, 250);
+          // Needed to ensure that UI work done by the started callback is finished before the location
+          // changes.
+          $scope.signingIn = true;
+          $timeout(function() {
+            document.location = url;
+          }, 250);
+        }, ApiService.errorDisplay('Could not perform sign in'));
       };
     }
   };