소스 검색

fix(oauth2): clear state and code verifier from session after use

Prevents replay of the one-time-use PKCE code verifier and CSRF state
values by clearing them from the app session immediately after the
OAuth2 callback consumes them.
Frédéric Guillot 3 달 전
부모
커밋
b4c9719000
1개의 변경된 파일4개의 추가작업 그리고 1개의 파일을 삭제
  1. 4 1
      internal/ui/oauth2_callback.go

+ 4 - 1
internal/ui/oauth2_callback.go

@@ -63,8 +63,11 @@ func (h *handler) oauth2Callback(w http.ResponseWriter, r *http.Request) {
 		return
 		return
 	}
 	}
 
 
-	printer := locale.NewPrinter(request.UserLanguage(r))
 	sess := session.New(h.store, request.SessionID(r))
 	sess := session.New(h.store, request.SessionID(r))
+	sess.SetOAuth2State("")
+	sess.SetOAuth2CodeVerifier("")
+
+	printer := locale.NewPrinter(request.UserLanguage(r))
 
 
 	if request.IsAuthenticated(r) {
 	if request.IsAuthenticated(r) {
 		loggedUser, err := h.store.UserByID(request.UserID(r))
 		loggedUser, err := h.store.UserByID(request.UserID(r))