AWS CloudFormation Linter

Invalid templateSCC-SA1001 The variable in the loop condition never changesSCC-SA4008 Invalid regular expressionSCC-SA1000 Value assigned to a variable is never read before being overwrittenSCC-SA4006 The result of append is not used anywhereSCC-SA4010 Found assignment to `nil` mapSCC-SA5000 Invalid format in `time.Parse`SCC-SA1002 Exported function returning value of unexported typeRVV-B0011 Found `for` loop instead of `append`SCC-S1011 Found `time.Now().Sub(t)` instead of `time.Since(t)`SCC-S1012 Found manually copying of struct fieldsSCC-S1016 Found manual trimming of stringSCC-S1017 Use `copy()` for sliding elementsSCC-S1018 Found redundant `nil` check in type assertionSCC-S1020 Found variable declaration and assignment separatelySCC-S1021 Found redundant control flowSCC-S1023 Found `x.Sub(time.Now())` instead of `time.Until(x)`SCC-S1024 Don't use `fmt.Sprintf("%s", x)` unnecessarilySCC-S1025 Found unnecessary multiple type assertionSCC-S1034 Invalid URL in `net/url.Parse`SCC-SA1007 Found trapping a signal that cannot be trappedSCC-SA1016 Channels used with `signal.Notify` should be bufferedSCC-SA1017 Using a deprecated function, variable, constant or fieldSCC-SA1019 Found empty critical sectionSCC-SA2001 Unused method receiverRVV-B0013 `sort.Slice` can only be used on slicesGO-W5002 Missing an optimization opportunity when indexing maps by byte slicesSCC-SA6001 Simplify `error` construction with `fmt.Errorf`SCC-S1028 Replace `for` loop with call to `copy` for sliceSCC-S1001 Boolean expression has identical expressions on both sidesSCC-SA4000 Replace call to `bytes.Compare` with `bytes.Equal`SCC-S1004 Cannot marshal channels or functionsSCC-SA1026 Found non-idiomatic returning of boolean expressionSCC-S1008 Invalid first argument to `exec.Command`SCC-SA1005 Detected usage of `defer` in `for`/`range` loopSCC-SA9001 Found redundant `nil` check on sliceSCC-S1009 Found usage of default slice indexSCC-S1010 Unsupported argument to functions in `encoding/binary`SCC-SA1003 `(*regexp.Regexp).FindAll` called with `n == 0` always returns zero resultsSCC-SA1010 Range over the string directlySCC-SA6003 Found inefficient `string` comparison with `strings.ToLower` or `strings.ToUpper`SCC-SA6005 Empty string test can be improvedCRT-A0004 Function call can be replaced with helper functionCRT-A0010 Duplicate body found in branchesCRT-D0006 Duplicate cases found in `switch` statementCRT-D0007 Duplicate operands found around a binary operatorCRT-D0008 Suspicious regex patternCRT-D0019 Multiple `append` can be combined into a single callCRT-P0001 The boolean expression can be simplifiedCRT-D0018 Using a deprecated function, variable, constant or fieldGO-W1009 Using a deprecated function, variable, constant or field from `archive/tar` packageGO-W1014 Using a deprecated function, variable, constant or field from `go/importer` packageGO-W1015 Using a deprecated function, variable, constant or field from `os` packageGO-W1010 Using a deprecated function, variable, constant or field from `net` packageGO-W1011 Using a deprecated function, variable, constant or field from `go/types` packageGO-W1012 Using a deprecated function, variable, constant or field from `image` packageGO-W1013 Self-assignment of variablesSCC-SA4018 Found empty body in an `if` or `else` branchSCC-SA9003 Flagname has suspicious charactersCRT-D0012 Unused parameter in functionRVV-B0012 Slice index out of boundsSCC-SA5006 It is not possible to use `time.Timer.Reset()`'s return value correctlySCC-SA1025 Error compilingSCC-compile Defering `Close` before checking for a possible errorSCC-SA5001 Trying to marshal a struct with no public fields nor custom marshalingSCC-SA9005 Non-pointer value passed to `Unmarshal` or `Decode`SCC-SA1014 `time.Tick` used in leaky waySCC-SA1015 Some violation of cgo pointer passing rulesVET-V0006 Incorrect usage of `sync/atomic` packageVET-V0003 Bad usage of boolean operatorsVET-V0004 Signature of methods of well-known interfaces probably not satisfiedVET-V0015 Shifts >= the width of the integerVET-V0014 Lock erroneously passed by valueVET-V0008 References to loop variable from within nested functionVET-V0010 Useless comparisons between functions and `nil`VET-V0012 Non-pointer or non-interface values passed to `Unmarshal`VET-V0018 `gin.LoadHTMLGlob` with ill-formed pattern would panicGO-E1000 Redis function called with an incorrect number of argumentsGO-E1001 Unimplemented Redis method call would panicGO-E1002 Sanitize insecure filename before useGO-S1000 Avoid building query with zero values in a structGO-E1004 Avoid model update query with zero values in a structGO-E1005 `string` to `int` signedness castingGO-E1006 Hidden goroutineGO-E1007 Invalid `result` operator in `Compare` functionGO-E1003 Use `any` instead of `interface{}`GO-R3001 Reorder operands for optimizationGO-P3001 Non-idiomatic slice zeroing `for` loopGO-P4001 Early return in if-then-else`GO-R3002 Potential DoS vulnerability via decompression bombGO-S2110 Possible `nil` pointer dereferenceGO-W5016 Deleting a directory that shouldn’t be deletedGO-W5019 Inappropriate usage of `t.Parallel()` methodGO-W6007 Exporting pointer for loop variablesGO-W6005 Poorly formed nilness guardsGO-E1008 Audit required: Possibly odd compound for assignment operators: '+=' or '-='GO-E1009 Using a non-pointer or non-error value with `errors.As`GO-W6001 Using `string(int)` for `int` to `string` conversionGO-W1020 Using `string(int)` for `int` to `string` conversionGO-W1021 `strings.HasPrefix` with constant strings as argumentsGO-W1022 `strings.HasSuffix` with constant strings as argumentsGO-W1023 Assembly clobbers the frame pointer before saving itGO-W6002 Using `string(int)` for `int` to `string` conversionGO-W6003 Using bytes.Equal to compare two net.IPSCC-SA1021 The empty for loop (`for {}`) spins and can block the schedulerSCC-SA5002 Using an invalid `host:port` pair with `net.Listen`SCC-SA1020 Comparing a value against NaN even though no value is equal to NaNSCC-SA4012 Atomic access to 64-bit variable must be 64-bit alignedSCC-SA1027 Called `testing.T.FailNow` or `testing.T.SkipNow` in a goroutineSCC-SA2002 Unreachable case clause in a type switchSCC-SA4020 `for { select { ... } }` with an empty default branch spinsSCC-SA5004 The finalizer references the finalized object, preventing garbage collectionSCC-SA5005 Invalid `UTF-8` value providedSCC-SA1011 Bitwise operations, such as `x ^ 0`, do not do anything usefulSCC-SA4016 `strings.Replace`/ `bytes.Replace` called with `n == 0`, which does nothingSCC-SA1018 Comparing unsigned values against negative values is pointlessSCC-SA4003 Bind to all interfacesGSC-G102 Simplify `make` call by omitting redundant argumentsSCC-S1019 Omit redundant `nil` check around loopSCC-S1031 Use `sort.Ints(x)`, `sort.Float64s(x)`, and `sort.Strings(x)`SCC-S1032 Found unnecessary guard around call to `delete`SCC-S1033 Redundant call to `net/http.CanonicalHeaderKey` in method call on `net/http.Header`SCC-S1035 Modifying the buffer in an io.Writer implementationSCC-SA1023 A string cutset contains duplicate charactersSCC-SA1024 sync.(*WaitGroup).Add called inside a goroutineSCC-SA2000 Deferred Lock right after lockingSCC-SA2003 Assigning to `b.N` in benchmarksSCC-SA3001 `&*x` or `*&x` gets simplified to `x` and it does not copy `x`SCC-SA4001 A function argument is overwritten before its first useSCC-SA4009 `break` statement with no effectSCC-SA4011 Calling functions like `math.Ceil` on floats converted from integersSCC-SA4015 `if`-`else-if` chain has duplicate conditions without side-effectSCC-SA4014 Pure function's return value is discarded, making the call pointlessSCC-SA4017 Duplicate build constraintsSCC-SA4019 Incorrect usage of `append`SCC-SA4021 Logical expression evaluating to constant valueRVV-A0001 Use `for { ... }` instead of `for true { ... }` loopsSCC-S1006 Use `(*bytes.Buffer).String` or `(*bytes.Buffer).Bytes`SCC-S1030 Inconsistency of Printf format strings and argumentsVET-V0013 Infinite recursive callSCC-SA5007 Import blacklist: crypto/desGSC-G502 Import blacklist: crypto/rc4GSC-G503 Import blacklist: net/http/cgiGSC-G504 Pointer from `flag` package's method dereferenced immediatelyGO-W1016 Swapping can be done using parallel assignmentCRT-A0009 Import blacklist: crypto/sha1GSC-G505 Use plain channel send or receiveSCC-S1000 Poor file permissions used when creating a directoryGSC-G301 Poor file permissions used when creating a file or using `os.Chmod`GSC-G302 Creating tempfile using a predictable pathGSC-G303 Method modifies receiverRVV-B0006 Using a non-octal os.FileModeSCC-SA9002 Only the first constant has an explicit typeSCC-SA9004 Replace call to `strings.Index` with `strings.Contains`SCC-S1003 Drop unnecessary use of the blank identifierSCC-S1005 Defers in infinite loops will never executeSCC-SA5003 Audit the usage of unescaped data in HTML templatesGSC-G203 Simplify regular expression by using raw string literalSCC-S1007 Invalid `Printf` callSCC-SA5009 Using `regexp.Match` or related in a loopSCC-SA6000 The loop exits unconditionally after one iterationSCC-SA4004 Invalid tag used in structSCC-SA5008 Potential usage of DES, RC4, MD5 or SHA1GSC-G401 Potentially bad TLS connection settingsGSC-G402 RSA key length less than 2048 bitsGSC-G403 Suspiciously small untyped constant in `time.Sleep`SCC-SA1004 `Printf` with dynamic first argument and no further argumentsSCC-SA1006 Non-canonical key in `http.Header` mapSCC-SA1008 `nil` `context.Context` passed to functionSCC-SA1012 io.Seeker.Seek is being called with the whence constant IncorrectlySCC-SA1013 Storing non-pointer values in `sync.Pool` allocates memorySCC-SA6002 Useless assignmentVET-V0002 Mismatch between assembly file and Go declarationVET-V0001 Possibly malformed build tagVET-V0005 Unkeyed composite literalsVET-V0007 Issues with `cancel` func returned by context.WithCancelVET-V0011 Bad usage of tests and examplesVET-V0017 `sync.WaitGroup` should be passed as a pointerRVV-B0014 Unused codeSCC-U1000 Shadowing a `builtin`CRT-A0001 Empty `fallthrough` in switch statement can be avoidedCRT-A0003 Invalid conversions of `uintptr` to `unsafe.Pointer`VET-V0020 Method expression can be replaced with method callCRT-A0006 Redundant conversion between `string` and `[]byte`CRT-A0007 Nested `if` can be replaced with `else if`CRT-A0011 Simplify slice expression to sliced value itselfCRT-A0016 Function literal can be simplifiedCRT-A0018 `case` in `switch` is unreachableCRT-D0004 Duplicate arguments passed to functionCRT-D0005 Pointer from `flag` package's method dereferenced immediatelyCRT-D0009 Call to `os.Exit` or `log.Fatal` and friends made in function using `defer`CRT-D0011 Return of `nil` valueCRT-D0013 Off-by-one errorCRT-D0015 Incomplete conditionCRT-D0017 Potential truncation issueCRT-D0020 Function params involve heavy amount of copyingCRT-P0003 `strings.Index` call cause unwanted allocationsCRT-P0004 Copy of large value in `range`CRT-P0005 Copy of large value inside loopCRT-P0006 Exit inside non-main functionRVV-A0003 Functions prefixed with `Get` should return a valueRVV-A0006 Redundant else-blocks can be eliminatedRVV-A0009 Redundant statements can be removedRVV-A0010 Duplicate importsRVV-B0004 Redundant error checkingRVV-B0005 Possibly undesired value being used in goroutineRVV-B0007 Suspicious assignment of range-loop varsRVV-B0008 Redefinition of builtinRVV-B0009 Explicit type conversionRVV-B0010 Possible bad usage of HTTP responseVET-V0009 Unused results of calls to some functionsVET-V0021 Use `time.Sleep` instead of single case `select`SCC-S1037 Unnecessary guard around mapSCC-S1036 `TestMain` doesn't call `os.Exit`, hiding test failuresSCC-SA3000 Audit required: Insecure gRPC serverGO-S0902 Audit required: XML package may be vulnerable to XXE attacksGO-S0903 Audit required: Exposure of sensitive headersGO-S0901 Dot imports are discouragedSCC-ST1001 Unnecessary dereference expressionsCRT-S0012 Use of deprecated Redis methodsGO-W1000 Use of bare return statementsGO-R3003 Use of boolean literals in logic expressionsGO-R3004 Name of an un-exportable symbol starts with a capital letterGO-R3005 Use `http.NoBody` instead of `nil` in `http.NewRequest` callsGO-R4001 Unsafe defer of `.Close` methodGO-S2307 Invalid argument in call to a function from `strconv` packageGO-W5004 Incomplete URL scheme validationGO-S1004 Impossible comparison of interface value with untyped `nil`GO-W5006 String concatenation can be simplifiedGO-R4003 Unnecessary dereference expressionsGO-R4004 Audit required: XPath InjectionGO-S1013 Audit required: Command injection from user-controlled sourcesGO-S1015 Audit required: Incomplete regular expression for hostnameGO-S1016 Audit required: Unsafe quoting for `github.com/Masterminds/squirrel` packageGO-S1017 Audit required: DES cipher algorithm is cryptographically brokenGO-S1022 Audit required: MD5 cipher algorithm is cryptographically brokenGO-S1023 Audit required: RC4 cipher algorithm is cryptographically brokenGO-S1024 Audit required: SHA1 cipher algorithm is cryptographically brokenGO-S1025 Audit required: `SkipDefaultTransaction` set to `false`GO-W1004 Comparing the address of a variable against nilGO-W5005 Poor file permissions used when writing to a new fileGO-S2306 Audit required: `GetLogger` is only for internal use of etcd's clientGO-W1003 `x % 1` is always zeroGO-W5011 `defer`red function literal can be simplifiedGO-C4005 Constant state value in OAuth 2.0 URLGO-S1001 Stack trace exposureGO-S1002 Open URL RedirectGO-S1003 Incomplete Redirect URL validationGO-S1005 Reflected cross-site scriptingGO-S1006 Checking for impossible return value from a builtin functionGO-W5007 Risky constant length comparisonGO-S1007 Size computation for allocation may overflowGO-S1008 Missing regular expression anchorGO-S1009 Integer division of literals that results in zeroGO-W5008 Bitwise exclusive-or used like exponentiationGO-S1012 Email content injectionGO-S1014 Decoding JWT token without validation stepGO-S1019 `MinVersion` is missing from this TLS configurationGO-S1020 Potential slowloris attackGO-S2112 SSLv3 is irreparably broken transport security protocolGO-S1021 Use `net.JoinHostPort` instead of `fmt.Sprintf(...)`GO-S1027 `http.NewRequest` request send to `http://` URLsGO-S1028 TLS cipher suite used is considered weakGO-S1029 Profiling endpoint automatically exposed on `/debug/pprof`GO-S2108 Potential path traversalGO-S2111 Use of `net/http`'s `ListenAndServe` function has no support for setting timeoutsGO-S2114 Impossible interface `nil` checkGO-W1001 `if` and `else`'s condition are the sameGO-W1002 `DryRun` is enabledGO-W1005 Audit required: Use of `reflect.MakeFunc`GO-W1006 Potential issue in `filepath.Join()` function callsGO-W4001 Malformed "code generated" commentGO-W4002 Suspicious `regexp`GO-W4004 Type assertion to current typeGO-W5001 Go constants cannot express negative zeroGO-W5009 `(*net/url.URL).Query` returns a copy, modifying it doesn’t change the URLGO-W5010 Ineffective attempt at sorting sliceGO-W5012 Checking never-nil value against `nil`GO-W5014 Impossible type assertionGO-W5015 Passing odd-sized slice to function expecting even sizeGO-W5017 Dubious bit shifting of a fixed size integer valueGO-W5018 `else` branch of a type assertion is probably not reading the right valueGO-W5020 Ineffective attempt generating random numberGO-W5013 Inappropriate key in call to `context.WithValue`GO-W5003 Bad usage of tests and examplesGO-W1019 Use `(*mail.Address).String()` instead of `fmt.Sprintf` for mail addressGO-W1031 Use `t.Setenv` and friends instead of `os.Setenv` for test file(s)GO-W1032 `Printf`-like function without `f` suffixGO-W6006 Bad usage of tests and examplesGO-W1018 Redundant boolean conditionGO-W1028 Bad use of `recover()`GO-W1030 Audit required: Use of PKCS #1 v1.5 padding with RSAGO-S1030 Audit required: Possible uncontrolled resource consumption using `doublestar.FilepathGlob`GO-S1048 Audit required: `(*crypto/x509.Certificate).Verify` does not use the system time for verificationGO-S1032 Audit Required: Insecure cookie for fiber sessionsGO-S1040 Audit Required: `Same-Site` attribute improperly configured for fiber session cookieGO-S1041 Audit Required: `Same-Site` attribute improperly configured for gin session cookieGO-S1042 Audit required: Possible uncontrolled resource consumption using `doublestar.Glob`GO-S1047 Audit required: Exposure of directory listing using `net/http.FileServer`GO-S1034 Exposure of directory listing using `Static`GO-S1036 Audit Required: Insecure cookie for gin sessionsGO-S1044 Redundant type in variable declarationGO-C5001 Malformed "deprecated" doc commentGO-D4001 Use `utf8.DecodeRuneInString` instead of `[]rune(string)[0]`GO-P4006 Use `fmt.Fprint` instead of `(io.Writer).Write` along with `fmt.Sprint`GO-P4007 Use `(io.StringWriter).WriteString` for writing stringsGO-P4008 Audit required: `(*crypto/x509.Certificate).Verify` does not check for certificate revocationGO-S1031 Random number generator seed doesn't have enough entropyGO-S1033 Exposure of directory listing using `Serve` / `ServeFS`GO-S1035 Using less than 310,000 iterations for PBKDF2GO-S1037 Using a constant salt for PBKDF2GO-S1038 Non HTTP-only cookie for fiber sessionsGO-S1039 Non HTTP-only cookie for gin sessionsGO-S1043 Using a cost factor of less than 10 for bcryptGO-S1045 Using a cost factor of less than 32768 for `scrypt`GO-S1046 Audit required: Tainted value reached a sinkGO-S7000 Pointer from `flag` package's method dereferenced immediatelyGO-W1017 Empty error stringGO-W1024 Recursive call to the `String` receiverGO-W1025 Recursive call to the `Format` receiverGO-W1026 Usage of both value and pointer receiversGO-W1029 Potentially unwanted dependency on evaluation orderGO-W4006 Reassignment of an error from another packageGO-W4007 Suspicious `http.Error` call without following returnGO-W4008 Suspicious call to `sort.Slice`GO-W4009 Potential issue in `Query` callGO-W4010 Subsequent calls to `Load` and `Delete` on `sync.Map` should be replaced with `LoadAndDelete`GO-W4011 `sync.Mutex` or `sync.RWMutex` methods exposedGO-W4013 Call to `(*testing.T).Fatal` and friends from the non-test goroutineGO-W6004 A switch's default case should be the first or last caseSCC-ST1015 Unnecessary blockCRT-A0008 Negating a boolean twiceSCC-SA4013 Function call made to an `unsafe` packageGSC-G103 Omit comparison with boolean constantSCC-S1002 Incorrectly formatted error stringSCC-ST1005 Audit the use of `ssh.InsecureIgnoreHostKey` functionGSC-G106 Audit the random number generation source (rand)GSC-G404 A function's error value should be its last return valueSCC-ST1008 File path traversal when extracting zip archiveGSC-G305 Import blacklist: crypto/md5GSC-G501 `true` is implicit in `switch` statementsCRT-A0015 Hex literal with mixed case lettersCRT-A0005 `switch` with single case can be rewritten as `if` or `if-else`CRT-A0014 Types of function parameters can be combinedCRT-A0017 `append` possibly assigns to a wrong variableCRT-D0001 Possibly incorrect order of argumentsCRT-D0002 Possibly wrong conditional expressionCRT-D0003 `context.Context` should be the first paramRVV-A0002 Confusing naming of struct fields or methodsRVV-B0001 Use constants from `net/http` for HTTP status codes, not the codes directlySCC-ST1013 Don't use Yoda conditionsSCC-ST1017 Avoid zero-width and control characters in string literalsSCC-ST1018 Unnecessary use of `fmt.Sprint/Sprintf`SCC-S1039 Use consistent method receiver namesSCC-ST1016 Poorly chosen name for error variableSCC-ST1012 Poorly chosen name for variable of type time.DurationSCC-ST1011 Audit required: Insecure use of loggerGO-S0904 Audit required: `encoding/xml` is unsafe for security-critical operationsGO-S0905 Incorrect or missing package commentSCC-ST1000 Poorly chosen identifierSCC-ST1003 Poorly chosen receiver nameSCC-ST1006 Use `http.FileSystem(http.Dir(...))` instead of `gin.Dir(...,true)`GO-R1000 Use `%q` to quote a string in `fmt.Sprintf` format specifiersGO-R4002 Non-idiomatic comment formattingGO-C4004 Deprecated `io/ioutil` package usageGO-C4001 Immediate dereferencing of `new` expressionsGO-C4002 Manual conversion to milli or micro secondsGO-C4003 Regular expression can be simplifiedGO-C4007 Function returns too many resultsGO-C4008 Prefer `WriteByte` over `WriteRune` for byte literalsGO-P4005 Use `KeyExists` from `go.etcd.io/etcd/client/v3/clientv3util` insteadGO-R1001 Use `KeyMissing` from `go.etcd.io/etcd/client/v3/clientv3util` insteadGO-R1002 Uncontrolled data used in network requestGO-S1010 Inconsistent direction of `for` loopGO-S1011 `strings.Index` used to cut a stringGO-W1008 Suspicious map literal keyGO-W4003 Importing the same package multiple timesGO-W5021 The documentation of an exported type should start with the type’s nameGO-D5002 Simplify `if` statement for single bool judgmentGO-R1004 Empty declarationGO-W4005 Method declaration preceding the type definitionGO-C4009 TODO comments written without any detail or assigneeGO-C4010 Simplify `Before` or `After` call of `time.Time`GO-C4011 Unnecessary call to `strings.Compare`GO-C4012 Documentation of an exported function should start with the function’s nameGO-D5001 The documentation of an exported variable or constant should start with the variable’s nameGO-D5003 Use `(*bytes.Buffer).Reset` insteadGO-R1003 Empty slice literal used to declare a variableGO-W1027 Redundant `defer`ring of callsGO-W4012 Prefer `filepath.Join` instead of concatenating strings with `os.PathSeparator`GO-W4014 Redundant type assertionsGO-W4015 Unchecked error in `if` statementGO-W4016 Suspicious formatting of errorsGO-W4017 Function with cyclomatic complexity higher than thresholdGO-R1005

GO-S1001

Constant state value in OAuth 2.0 URLGO-S1001

Major

Security

cwe-352, sans-top-25

OAuth 2.0 clients must implement CSRF protection for the redirection URI, typically accomplished by including a value that binds the request to the UA's (user-agent) authenticated state. It is recommended to use the "state" request parameter to deliver the value to the authorization server. Go's OAuth 2.0 library allows you to specify a "state" value which is then included in the auth code URL. That state is then provided back by the remote authentication server in the redirect callback, from where it must be validated. If not validated, it makes the client susceptible to a CSRF attack. So it is essential to use a unique, non-guessable "state" value that is also bound to the user's authenticated state with each authentication request and then validated in the redirect callback.

Bad practice

func do(w http.ResponseWriter) {
    const state = "state_value" // harcoded & highly predictable
    conf := &oauth2.Config{
        ClientID:     os.Getenv("CLIENT_ID"),
        ClientSecret: os.Getenv("CLIENT_SECRET"),
        Endpoint: oauth2.Endpoint{
            AuthURL:  "https://*/oauth2/auth",
            TokenURL: "https://*/oauth2/token",
        },
    }

    url := conf.AuthCodeURL(state)
    // ...
}

Recommended

func encodeStateOAuthCookie(w http.ResponseWriter) string {
    b := make([]byte, 256)
    return base64.URLEncoding.EncodeToString(b)
}

func do(w http.ResponseWriter) {
    conf := &oauth2.Config{
        ClientID:     os.Getenv("CLIENT_ID"),
        ClientSecret: os.Getenv("CLIENT_SECRET"),
        Endpoint: oauth2.Endpoint{
            AuthURL:  "https://*/oauth2/auth",
            TokenURL: "https://*/oauth2/token",
        },
    }

    state := encodeStateOAuthCookie(w) // harder to guess
    url := conf.AuthCodeURL(state)
    // ...
}

References