From 2219cfd83eff1654cc0ef03b55d878312d0a02ed Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Thu, 14 Oct 2021 16:52:19 -0700
Subject: [PATCH] fix: Increase entropy of state string for OAuth process
 closes #2663

---
 server/utils/passport.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/utils/passport.js b/server/utils/passport.js
index 31edb4518..e12d0cf0b 100644
--- a/server/utils/passport.js
+++ b/server/utils/passport.js
@@ -9,7 +9,8 @@ export class StateStore {
   key: string = "state";
 
   store = (req: Request, callback: (err: ?Error, state?: string) => void) => {
-    const state = Math.random().toString(36).substring(7);
+    // Produce an 8-character random string as state
+    const state = Math.random().toString(36).slice(-8);
 
     // $FlowFixMe
     req.cookies.set(this.key, state, {