State #115
Description
Hi, I wonder, how I can check state in backend. As I can see there is method: signin(serverUrl, signinPath), with send code and state to backend, but when I call this I dont have state on backend. I wonder, why this method send state. As I understand, to protect against csrf attack, I should first call endpoint on backend, generate state, save in session, and return cookie with state, and next call to backend for code exchange should contain this state. But I wonder, why that method send state. Maybe I dont understand this flow?
This part of my frontend code:
import SDK from "casdoor-js-sdk";
const sdk = new SDK({
serverUrl: "https://casdoor-server",
clientId: "id",
appName: "app",
organizationName: "organization",
redirectPath: "/auth",
signinPath: "/api/signin",
});
if (window.location.pathname === "/auth") {
await sdk.signin("http://localhost:8080");
}
window.location.href = sdk.getSigninUrl();``` and backend: ```from bottle import request, Bottle
from api.utils.cors import cors_enabled
def setup_auth_routes(app: Bottle):
@app.route('/api/signin', ['POST', 'OPTIONS'])
@cors_enabled
def auth_callback():
code = request.query.get('code')
state = request.query.get('state')