From 2b172e5bf4df816603af1ab9add1a5f920c6daca Mon Sep 17 00:00:00 2001
From: Bell Isabell <bell@contraption.co>
Date: Tue, 3 Mar 2026 18:40:36 -0800
Subject: [PATCH] Security: Re-enable OAuth CSRF state validation

Remove provider_ignores_state: true from Google OAuth configuration.
This re-enables CSRF state validation which protects against cross-site
request forgery attacks during the OAuth flow.

Closes #15
---
 config/initializers/devise.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index a2b0503..24abf5b 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -275,7 +275,7 @@
   # config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
   if Rails.configuration.google_oauth[:client_id].present? && Rails.configuration.google_oauth[:client_secret].present?
     config.omniauth :google_oauth2, Rails.configuration.google_oauth[:client_id],
-                    Rails.configuration.google_oauth[:client_secret], provider_ignores_state: true
+                    Rails.configuration.google_oauth[:client_secret]
   end
   # ==> Warden configuration
   # If you want to use other strategies, that are not supported by Devise, or