oauth: reenable pkce and state checking

Seems to work on my local scavenger (with production maclyonsden.com),
so I'll enable this and debug with issues on production scavenger.

core/views/auth.py

@@ -44,7 +44,7 @@ def oauth_login(q):
     redirect_uri = q.build_absolute_uri(reverse("oauth_auth"))
     state = secrets.token_urlsafe(32)
     q.session["yasoi_state"] = state
-    # pkce_params = pkce1(q)
+    pkce_params = pkce1(q)
     return redirect(
         settings.YASOI["authorize_url"]
         + "?"
@@ -55,7 +55,7 @@ def oauth_login(q):
                 redirect_uri=redirect_uri,
                 scope=settings.YASOI["scope"],
                 state=state,
-                # **pkce_params,
+                **pkce_params,
             )
         )
     )
@@ -65,12 +65,12 @@ def oauth_login(q):
 def oauth_auth(q):
     redirect_uri = q.build_absolute_uri(reverse("oauth_auth"))
     given_state = q.GET["state"]
-    # expected_state = q.session["yasoi_state"]
-    # if expected_state != given_state:
-    #    raise TypeError("state mismatch")
+    expected_state = q.session["yasoi_state"]
+    if expected_state != given_state:
+       raise TypeError("state mismatch")
     if "error" in q.GET:
         raise RuntimeError(f'{q.GET["error"]}: {q.GET.get("error_description")}')
-    # pkce_params = pkce2(q)
+    pkce_params = pkce2(q)
     code = q.GET["code"]
     q2 = requests.post(
         settings.YASOI["token_url"],
@@ -79,7 +79,7 @@ def oauth_auth(q):
             code=code,
             redirect_uri=redirect_uri,
             **{key: settings.YASOI[key] for key in ("client_id", "client_secret")},
-            # **pkce_params,
+            **pkce_params,
         ),
     )
     if q2.status_code == 400: