Use "state" parameter in google and github oauth for CSRF protection and passing frontend redirect url

[aahnik]

• currently after oauth succeeds backend redirects to FRONTEND_URL env var
• but, different frontend implementations may have a different path to be redirected, and they all may use the same backend server
• to make our soln more generic, the frontend will specify callback URL as a query param, when it initiates the o-auth flow
• but how will backend store this cb URL, because, the control is handed over to external o-auth server.. and our backend code only gets back control, when the external provider calls our endpoint
• so we can use the "state" variable for this communication

Specifies any string value that your application uses to maintain state between your authorization request and the authorization server's response. The server returns the exact value that you send as a name=value pair in the URL query component (?) of the redirect_uri after the user consents to or denies your application's access request.

You can use this parameter for several purposes, such as directing the user to the correct resource in your application, sending nonces, and mitigating cross-site request forgery. Since your redirect_uri can be guessed, using a state value can increase your assurance that an incoming connection is the result of an authentication request. If you generate a random string or encode the hash of a cookie or another value that captures the client's state, you can validate the response to additionally ensure that the request and response originated in the same browser, providing protection against attacks such as cross-site request forgery.

source: google oauth for web-servers

this is the equivalent link for github oauth

How to do this with nestjs/passport ?
try StackOverflow link

Additional Todo:
why this does not exist in official @nestjs/passport docs ? May be create an issue, or even a PR to their docs ..