X-Git-Url: https://git.octo.it/?p=kraftakt.git;a=blobdiff_plain;f=fitbit%2Ffitbit.go;h=36242d16a90acab855a6c77e912f475d391bfa44;hp=d7a885dd97c4e3d0bd7407644c18ef549a387847;hb=1b0eaa82adf8853641ac460743020f83e889a4a3;hpb=380a565ae90637a0b73c968f2e530860bef8ee74

diff --git a/fitbit/fitbit.go b/fitbit/fitbit.go
index d7a885d..36242d1 100644
--- a/fitbit/fitbit.go
+++ b/fitbit/fitbit.go
@@ -32,14 +32,8 @@ func oauthConfig() *oauth2.Config {
 	}
 }
 
-const csrfToken = "@CSRFTOKEN@"
-
-func AuthURL() string {
-	return oauthConfig().AuthCodeURL(csrfToken, oauth2.AccessTypeOffline)
-}
-
 func ParseToken(ctx context.Context, r *http.Request, u *app.User) error {
-	if state := r.FormValue("state"); state != csrfToken {
+	if state := r.FormValue("state"); state != u.Sign("Fitbit") {
 		return fmt.Errorf("invalid state parameter: %q", state)
 	}
 
@@ -155,6 +149,10 @@ func NewClient(ctx context.Context, fitbitUserID string, u *app.User) (*Client,
 	}, nil
 }
 
+func (c *Client) AuthURL(ctx context.Context) string {
+	return oauthConfig().AuthCodeURL(c.appUser.Sign("Fitbit"), oauth2.AccessTypeOffline)
+}
+
 func (c *Client) ActivitySummary(ctx context.Context, date string) (*ActivitySummary, error) {
 	url := fmt.Sprintf("https://api.fitbit.com/1/user/%s/activities/date/%s.json",
 		c.fitbitUserID, date)