Google OAuth 2.0 login integration via Assent.
Assent's OAuth2 strategy generates and validates a CSRF state token
internally (stored in session_params). This module enforces that
session_params must be present on callback — if the session cookie is
missing (e.g. a forged/forwarded callback URL), the request is rejected.