From 275bd78c6842285f2ab96e08af874d91ad28251b Mon Sep 17 00:00:00 2001
From: Jon Jensen <jon@instructure.com>
Date: Mon, 12 May 2014 17:07:13 -0600
Subject: [PATCH] pass back state during auto-accept oauth flows, fixes
 CNVS-13006

test plan:
n/a, see specs ... needs an implementation

Change-Id: If429c925b5089036a32839653b609cdd8b82d95d
Reviewed-on: https://gerrit.instructure.com/34781
Reviewed-by: Dave Donahue <ddonahue@instructure.com>
Reviewed-by: Brian Palmer <brianp@instructure.com>
Product-Review: Marc LeGendre <marc@instructure.com>
QA-Review: Marc LeGendre <marc@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
---
 app/controllers/pseudonym_sessions_controller.rb       |  3 ++-
 spec/controllers/pseudonym_sessions_controller_spec.rb | 10 ++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/app/controllers/pseudonym_sessions_controller.rb b/app/controllers/pseudonym_sessions_controller.rb
index c2093e086dd..a9e78d9acf8 100644
--- a/app/controllers/pseudonym_sessions_controller.rb
+++ b/app/controllers/pseudonym_sessions_controller.rb
@@ -648,7 +648,6 @@ class PseudonymSessionsController < ApplicationController
 
   def oauth2_accept
     redirect_params = final_oauth2_redirect_params(:remember_access => params[:remember_access])
-    redirect_params[:state] = session[:oauth2][:state] if session[:oauth2][:state]
     final_oauth2_redirect(session[:oauth2][:redirect_uri], redirect_params)
   end
 
@@ -698,6 +697,8 @@ class PseudonymSessionsController < ApplicationController
     options = {:scopes => session[:oauth2][:scopes], :remember_access => options[:remember_access], :purpose => session[:oauth2][:purpose]}
     code = Canvas::Oauth::Token.generate_code_for(@current_user.global_id, session[:oauth2][:client_id], options)
     redirect_params = { :code => code }
+    redirect_params[:state] = session[:oauth2][:state] if session[:oauth2][:state]
+    redirect_params
   end
 
   def final_oauth2_redirect(redirect_uri, opts = {})
diff --git a/spec/controllers/pseudonym_sessions_controller_spec.rb b/spec/controllers/pseudonym_sessions_controller_spec.rb
index 770a36272c5..95da8e3e951 100644
--- a/spec/controllers/pseudonym_sessions_controller_spec.rb
+++ b/spec/controllers/pseudonym_sessions_controller_spec.rb
@@ -838,6 +838,16 @@ describe PseudonymSessionsController do
         response.location.should match(/https:\/\/example.com/)
       end
 
+      it 'should redirect to the redirect uri with the provided state' do
+        @user.access_tokens.create!({:developer_key => key, :remember_access => true, :scopes => ['/auth/userinfo'], :purpose => nil})
+        provider = Canvas::Oauth::Provider.new(key.id, key.redirect_uri, ['/auth/userinfo'], nil)
+
+        post :create, params, :oauth2 => provider.session_hash.merge(state: "supersekrit")
+        response.should be_redirect
+        response.location.should match(/https:\/\/example.com/)
+        response.location.should match(/state=supersekrit/)
+      end
+
       it 'should not reuse userinfo tokens for other scopes' do
         @user.access_tokens.create!({:developer_key => key, :remember_access => true, :scopes => ['/auth/userinfo'], :purpose => nil})
         provider = Canvas::Oauth::Provider.new(key.id, key.redirect_uri, [], nil)