From cfdc5d1c9b118a13269ca57ba7be8d8923f5cd59 Mon Sep 17 00:00:00 2001
From: Hannes Ortmeier <ortmeier.hannes@gmail.com>
Date: Mon, 6 Jan 2025 18:50:08 +0100
Subject: [PATCH] Feature: add optional OAuth state parameter

---
 docs/configuration.md       | 12 ++++++++++++
 src/paperless/settings.py   |  2 ++
 src/paperless_mail/oauth.py |  2 ++
 3 files changed, 16 insertions(+)

diff --git a/docs/configuration.md b/docs/configuration.md
index 671e289b0..894f59e84 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -1229,6 +1229,12 @@ consumers working on the same file. Configure this to prevent that.
 
     Defaults to none.
 
+#### [`PAPERLESS_GMAIL_OAUTH_CLIENT_STATE=<str>`](#PAPERLESS_GMAIL_OAUTH_CLIENT_STATE) {#PAPERLESS_GMAIL_OAUTH_CLIENT_STATE}
+
+: State parameter for Gmail OAuth. This parameter is sent to the OAuth provider and returned in the callback.
+
+    Defaults to none.
+
 #### [`PAPERLESS_OUTLOOK_OAUTH_CLIENT_ID=<str>`](#PAPERLESS_OUTLOOK_OAUTH_CLIENT_ID) {#PAPERLESS_OUTLOOK_OAUTH_CLIENT_ID}
 
 : The OAuth client ID for Outlook. This is required for Outlook OAuth Email setup. See [OAuth Email Setup](usage.md#oauth-email-setup) for more information.
@@ -1241,6 +1247,12 @@ consumers working on the same file. Configure this to prevent that.
 
     Defaults to none.
 
+#### [`PAPERLESS_OUTLOOK_OAUTH_CLIENT_STATE=<str>`](#PAPERLESS_OUTLOOK_OAUTH_CLIENT_STATE) {#PAPERLESS_OUTLOOK_OAUTH_CLIENT_STATE}
+
+: State parameter for Outlook OAuth. This parameter is sent to the OAuth provider and returned in the callback.
+
+    Defaults to none.
+
 ### Encrypted Emails {#encrypted_emails}
 
 #### [`PAPERLESS_EMAIL_GNUPG_HOME=<str>`](#PAPERLESS_EMAIL_GNUPG_HOME) {#PAPERLESS_EMAIL_GNUPG_HOME}
diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index a32c78ef5..9adb6586c 100644
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -1222,6 +1222,7 @@ EMPTY_TRASH_DELAY = max(__get_int("PAPERLESS_EMPTY_TRASH_DELAY", 30), 1)
 OAUTH_CALLBACK_BASE_URL = os.getenv("PAPERLESS_OAUTH_CALLBACK_BASE_URL")
 GMAIL_OAUTH_CLIENT_ID = os.getenv("PAPERLESS_GMAIL_OAUTH_CLIENT_ID")
 GMAIL_OAUTH_CLIENT_SECRET = os.getenv("PAPERLESS_GMAIL_OAUTH_CLIENT_SECRET")
+GMAIL_OAUTH_CLIENT_STATE = os.getenv("PAPERLESS_GMAIL_OAUTH_CLIENT_STATE")
 GMAIL_OAUTH_ENABLED = bool(
     (OAUTH_CALLBACK_BASE_URL or PAPERLESS_URL)
     and GMAIL_OAUTH_CLIENT_ID
@@ -1229,6 +1230,7 @@ GMAIL_OAUTH_ENABLED = bool(
 )
 OUTLOOK_OAUTH_CLIENT_ID = os.getenv("PAPERLESS_OUTLOOK_OAUTH_CLIENT_ID")
 OUTLOOK_OAUTH_CLIENT_SECRET = os.getenv("PAPERLESS_OUTLOOK_OAUTH_CLIENT_SECRET")
+OUTLOOK_OAUTH_CLIENT_STATE = os.getenv("PAPERLESS_OUTLOOK_OAUTH_CLIENT_STATE")
 OUTLOOK_OAUTH_ENABLED = bool(
     (OAUTH_CALLBACK_BASE_URL or PAPERLESS_URL)
     and OUTLOOK_OAUTH_CLIENT_ID
diff --git a/src/paperless_mail/oauth.py b/src/paperless_mail/oauth.py
index 2bf2245bb..6e4fbd3ad 100644
--- a/src/paperless_mail/oauth.py
+++ b/src/paperless_mail/oauth.py
@@ -49,6 +49,7 @@ class PaperlessMailOAuth2Manager:
                 redirect_uri=self.oauth_callback_url,
                 scope=["https://mail.google.com/"],
                 extras_params={"prompt": "consent", "access_type": "offline"},
+                state=settings.GMAIL_OAUTH_CLIENT_STATE,
             ),
         )
 
@@ -60,6 +61,7 @@ class PaperlessMailOAuth2Manager:
                     "offline_access",
                     "https://outlook.office.com/IMAP.AccessAsUser.All",
                 ],
+                self=settings.OUTLOOK_OAUTH_CLIENT_STATE,
             ),
         )