Use proper oauth state (#3847)

cmd/server/server.go

@@ -265,6 +265,13 @@ func run(c *cli.Context) error {
 }
 
 func setupEvilGlobals(c *cli.Context, s store.Store) error {
+	// secrets
+	var err error
+	server.Config.Server.JWTSecret, err = setupJWTSecret(s)
+	if err != nil {
+		return fmt.Errorf("could not setup jwt secret: %w", err)
+	}
+
 	// services
 	server.Config.Services.Queue = setupQueue(c, s)
 	server.Config.Services.Logs = logging.New()

cmd/server/setup.go

@@ -17,10 +17,13 @@ package main
 
 import (
 	"context"
+	"encoding/base32"
+	"errors"
 	"fmt"
 	"os"
 	"time"
 
+	"github.com/gorilla/securecookie"
 	"github.com/prometheus/client_golang/prometheus"
 	prometheus_auto "github.com/prometheus/client_golang/prometheus/promauto"
 	"github.com/rs/zerolog/log"
@@ -34,6 +37,7 @@ import (
 	"go.woodpecker-ci.org/woodpecker/v2/server/services/log/file"
 	"go.woodpecker-ci.org/woodpecker/v2/server/store"
 	"go.woodpecker-ci.org/woodpecker/v2/server/store/datastore"
+	"go.woodpecker-ci.org/woodpecker/v2/server/store/types"
 )
 
 func setupStore(c *cli.Context) (store.Store, error) {
@@ -165,3 +169,26 @@ func setupLogStore(c *cli.Context, s store.Store) (logService.Service, error) {
 		return s, nil
 	}
 }
+
+const jwtSecretID = "jwt-secret"
+
+func setupJWTSecret(_store store.Store) (string, error) {
+	jwtSecret, err := _store.ServerConfigGet(jwtSecretID)
+	if errors.Is(err, types.RecordNotExist) {
+		jwtSecret := base32.StdEncoding.EncodeToString(
+			securecookie.GenerateRandomKey(32),
+		)
+		err = _store.ServerConfigSet(jwtSecretID, jwtSecret)
+		if err != nil {
+			return "", err
+		}
+		log.Debug().Msg("created jwt secret")
+		return jwtSecret, nil
+	}
+
+	if err != nil {
+		return "", err
+	}
+
+	return jwtSecret, nil
+}