Improve state passing

[dltn]

trafficstars

Form options (CSV/JSON) are currently passed through the OAuth state string parameter. This complicates passing state and is nonstandard. Instead, we should be storing this state locally with the state token as a key (and ideally validating the request):

If state is used for carrying application state, and integrity of its contents is a concern, clients MUST protect state against tampering and swapping. This can be achieved by binding the contents of state to the browser session and/or signed/encrypted state values

See:

• https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-09
• http://www.thread-safe.com/2014/05/the-correct-use-of-state-parameter-in.html
• https://stackoverflow.com/questions/52459476/does-oauth-state-mitigate-any-genuinely-dangerous-attacks
• https://pipedrive.readme.io/docs/marketplace-oauth-authorization-state-parameter

[darekkay]

Thank for the issue, I totally agree. The code is from 7 years ago and I remember having issues with passing the state around and my hack/workaround to solve it.

[dltn]

Merged to production via https://github.com/darekkay/todoist-export/pull/9#issuecomment-779709817

[darekkay]

@dltn This improvement ticket hasn't been tackled in #9 afaik. From your comment:

This PR encodes the archive option in the existing "format string" – which isn't ideal, but minimizes the changes needed to keep compatibility. I don't want to bloat this PR further, so I created https://github.com/darekkay/todoist-export/issues/11 to track this.

I'm currently not planning to work on this (prioritizing other projects), but I'm fine with keeping valid tickets open.