Login CSRF using Google OAuth

This bug is related to bug report [https://hackerone.com/reports/774] as this bug also allows a user to be logged in as the attacker. An attacker could exploit this bug as follows: Attacker initiates Google OAuth process with thisdata Attacker allows access to thisdata app Attacker records and drops redirection to thisdata (in order not to consume token) Attacker directs victim to /oauth/redirect?state={attacker's state}&code={attacker's code} Victim is now logged in as attacker state parameter is solution for this but in this case state parameter is not getting validated on server side.