Remove state and origin from session once used.

Pierre Pretorius · Pierre Pretorius · commit e246fa9e7316 · 2017-03-02T08:51:56.000+02:00
diff --git a/lib/omniauth/strategies/oauth2.rb b/lib/omniauth/strategies/oauth2.rb
@@ -71,14 +71,14 @@ def callback_phase # rubocop:disable AbcSize, CyclomaticComplexity, MethodLength
         error = request.params["error_reason"] || request.params["error"]
         if error
           fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
-        elsif !options.provider_ignores_state && (request.params["state"].to_s.empty? || session["omniauth.states"].empty? || !session["omniauth.states"].include?(request.params["state"]))
+        elsif !options.provider_ignores_state && (request.params["state"].to_s.empty? || session["omniauth.states"].empty? || !session["omniauth.states"].delete(request.params["state"]))
           fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
         else
           self.access_token = build_access_token
           self.access_token = access_token.refresh! if access_token.expired?
 
           if session['omniauth.state_origins'] && session['omniauth.state_origins'][request.params['state']]
-            env['omniauth.origin'] = session['omniauth.state_origins'][request.params['state']]
+            env['omniauth.origin'] = session['omniauth.state_origins'].delete(request.params['state'])
           end
           super
         end
