Replace CSRF token with tokens based on the user's ID.

[kraftakt.git] / gfit / gfit.go

diff --git a/gfit/gfit.go b/gfit/gfit.go
index 610ee5c..858f94d 100644 (file)
--- a/gfit/gfit.go
+++ b/gfit/gfit.go
@@ -19,8 +19,7 @@ import (
 )
 
 const (
-       csrfToken = "@CSRFTOKEN@"
-       userID    = "me"
+       userID = "me"
 
        dataTypeNameCalories        = "com.google.calories.expended"
        dataTypeNameDistance        = "com.google.distance.delta"
@@ -51,12 +50,8 @@ func Application(ctx context.Context) *fitness.Application {
        }
 }
 
-func AuthURL() string {
-       return oauthConfig().AuthCodeURL(csrfToken, oauth2.AccessTypeOffline)
-}
-
 func ParseToken(ctx context.Context, r *http.Request, u *app.User) error {
-       if state := r.FormValue("state"); state != csrfToken {
+       if state := r.FormValue("state"); state != u.Sign("Google") {
                return fmt.Errorf("invalid state parameter: %q", state)
        }
 
@@ -90,6 +85,10 @@ func NewClient(ctx context.Context, u *app.User) (*Client, error) {
        }, nil
 }
 
+func (c *Client) AuthURL(ctx context.Context) string {
+       return oauthConfig().AuthCodeURL(c.appUser.Sign("Google"), oauth2.AccessTypeOffline)
+}
+
 func (c *Client) DeleteToken(ctx context.Context) error {
        return c.appUser.DeleteToken(ctx, "Google")
 }