From aebb6818b7db6ee665a72281fcd109f37cfbc5c1 Mon Sep 17 00:00:00 2001
From: Eric Chiang <eric.chiang@coreos.com>
Date: Thu, 1 Dec 2016 09:05:56 -0800
Subject: [PATCH] cmd/example-app: use a non-empty state

Use a non-empty state in the example-app to ensure dex is properly
preserving the state for the code flow.

Updates #712
---
 cmd/example-app/main.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/cmd/example-app/main.go b/cmd/example-app/main.go
index 32728841..a188dccc 100644
--- a/cmd/example-app/main.go
+++ b/cmd/example-app/main.go
@@ -23,6 +23,8 @@ import (
 	"golang.org/x/oauth2"
 )
 
+const exampleAppState = "I wish to wash my irish wristwatch"
+
 type app struct {
 	clientID     string
 	clientSecret string
@@ -241,9 +243,9 @@ func (a *app) handleLogin(w http.ResponseWriter, r *http.Request) {
 	scopes = append(scopes, "openid", "profile", "email")
 	if a.offlineAsScope {
 		scopes = append(scopes, "offline_access")
-		authCodeURL = a.oauth2Config(scopes).AuthCodeURL("")
+		authCodeURL = a.oauth2Config(scopes).AuthCodeURL(exampleAppState)
 	} else {
-		authCodeURL = a.oauth2Config(scopes).AuthCodeURL("", oauth2.AccessTypeOffline)
+		authCodeURL = a.oauth2Config(scopes).AuthCodeURL(exampleAppState, oauth2.AccessTypeOffline)
 	}
 	http.Redirect(w, r, authCodeURL, http.StatusSeeOther)
 }
@@ -254,6 +256,11 @@ func (a *app) handleCallback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if state := r.FormValue("state"); state != exampleAppState {
+		http.Error(w, fmt.Sprintf("expected state %q got %q", exampleAppState, state), http.StatusBadRequest)
+		return
+	}
+
 	code := r.FormValue("code")
 	refresh := r.FormValue("refresh_token")
 	var (