Laravel Socialite has a "stateless" mode which disables storing anything to session. From a read of the source code it doesn't do anything different instead -- it just doesn't store or retrieve these values.
As part of this, it assumes for example that the OAuth state is always valid.
Checking this is one of the things which the Twitter sign-in documentation, for example, tells us to do.
So I'm wondering what sort of security implications using the stateless mode of Socialite could have.
If it's anything serious, what sort of workarounds would there be, for an application running as a stateless API? I could store things in its Redis store, but I'm not sure how I'd tie any bit of information to the current user. By reimplementing what Socialite does I could for example store the state in the cache, keyed by some hash of the user's IP and browser fingerprint. But this seems very messy.
via tremby
