Add note about missing CSRF validation in oauth example (#2512)

tokio-rs · Jan 13, 2024 · 358f196 · 358f196
1 parent 9ebd105
commit 358f196
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/examples/oauth/src/main.rs b/examples/oauth/src/main.rs
@@ -143,6 +143,11 @@ async fn index(user: Option<User>) -> impl IntoResponse {
 }
 
 async fn discord_auth(State(client): State<BasicClient>) -> impl IntoResponse {
+    // TODO: this example currently doesn't validate the CSRF token during login attempts. That
+    // makes it vulnerable to cross-site request forgery. If you copy code from this example make
+    // sure to add a check for the CSRF token.
+    //
+    // Issue for adding check to this example https://github.com/tokio-rs/axum/issues/2511
     let (auth_url, _csrf_token) = client
         .authorize_url(CsrfToken::new_random)
         .add_scope(Scope::new("identify".to_string()))