Security Audit Flags Missing OAuth State Parameter as Critical CSRF Risk in Instagram Integration

A security audit has identified a critical vulnerability in the platform's Instagram OAuth integration. The `getAuthUrl()` function in `lib/instagram.js` generates authorization URLs without a CSRF `state` parameter, while `app/api/instagram/callback/route.js` performs no state validation on the callback. This gap allows attackers to craft malicious callback URLs containing attacker-controlled authorization codes, potentially hijacking a victim's linked Instagram account and substituting it with one under their control.

The attack exploits the standard OAuth authorization flow by bypassing its built-in CSRF protection mechanism. Normally, a randomly generated state token is passed during the initial authorization request and verified upon callback to confirm the request originated from the legitimate user session. The audit notes that the fix requires generating a cryptographically secure state value using `crypto.randomBytes(16).toString('hex')`, storing it in a short-lived cookie or server-side session, and validating that the returned state matches before processing the authorization code. The two affected files—`lib/instagram.js` and `app/api/instagram/callback/route.js`—require modifications to implement this protection.

The vulnerability poses a direct risk to users who connect Instagram accounts through the platform, as attackers could reassign those connections to malicious accounts. The issue is classified as HIGH severity and is documented as part of an ongoing security audit series. No evidence suggests the vulnerability has been actively exploited, but the straightforward nature of the attack and availability of a documented fix increase urgency for remediation. The flaw appears specific to the Instagram OAuth implementation rather than reflecting a broader authentication framework weakness, though any similar OAuth integrations should be reviewed for parallel state parameter handling.