Context
From security audit (#114). The OAuth state parameter (src/entrypoints/app/routes/auth/index.ts:49) is a JSON-encoded { returnTo } value rather than a cryptographic nonce.
While the open redirect protection limits the practical risk, a proper CSRF defense uses a random nonce stored server-side or in a signed cookie.
Action
- Generate a cryptographic random nonce for the state parameter
- Store it in a short-lived cookie or server-side
- Validate it in the callback
- Include returnTo as part of the signed payload
Severity
Medium — low practical risk due to existing redirect validation.
Context
From security audit (#114). The OAuth state parameter (
src/entrypoints/app/routes/auth/index.ts:49) is a JSON-encoded{ returnTo }value rather than a cryptographic nonce.While the open redirect protection limits the practical risk, a proper CSRF defense uses a random nonce stored server-side or in a signed cookie.
Action
Severity
Medium — low practical risk due to existing redirect validation.