Add option to use OAuth "state" param in internet accounts

[garrettjstevens]

This adds to the option to use the state parameter in an OAuth authorization. By default it is read from the config, but if dynamic state is needed, the get state getter can be overridden in an extending model.

Motivation is to use this in Apollo to keep track of some state across the OAuth flow.

[codecov]

Codecov Report

Merging #3296 (3bab368) into main (cb4ebf9) will decrease coverage by 0.00%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #3296      +/-   ##
==========================================
- Coverage   59.59%   59.58%   -0.01%     
==========================================
  Files         731      731              
  Lines       28887    28891       +4     
  Branches     6984     6987       +3     
==========================================
+ Hits        17215    17216       +1     
- Misses      11428    11431       +3     
  Partials      244      244              

Impacted Files	Coverage Δ
...gins/authentication/src/OAuthModel/configSchema.ts	50.00% <ø> (ø)
plugins/authentication/src/OAuthModel/model.tsx	5.91% <0.00%> (-0.15%)	⬇️
...rative-view/src/ServerSideRenderedBlockContent.tsx	68.00% <0.00%> (+4.00%)	⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[cmdcolin]

from previous work we've done, we have to use a non-getter (which i call a method) to be able to override it in an extending model. examples are things like trackMenuItems

[cmdcolin]

maybe that is only if you need to use super though...but might not be a bad thing to use anyways

[garrettjstevens]

Good point, made it a method

[cmdcolin]

can you clarify how state is intended to be used? it seems related to various security concerns so knowing what the intent is might be helpful (at least for me :)) https://auth0.com/docs/secure/attack-protection/state-parameters#use-the-stored-url-to-redirect-users

[garrettjstevens]

Specifically for Apollo, this is going to be used in the way the article you linked describes:

You can use the state parameter to encode an application state that will put the user where they were before the authentication process started

Since in Apollo 3, the JBrowse 2 instance does not necessarily have to be on the same server as the Apollo Collaboration Server, the URL of the JBrowse 2 instance is sent in the state so the redirect goes to the correct place.

In Apollo 3 the server itself is doing the signing in instead of the client, and it is does the same thing described in that article, using a stored nonce to keep track of the state data. It uses the passport-oauth2 library to do that.