|
|
@@ -34,8 +34,11 @@ func (h *handler) oauth2Callback(w http.ResponseWriter, r *http.Request) {
|
|
|
sess := request.WebSession(r)
|
|
|
|
|
|
state := request.QueryStringParam(r, "state", "")
|
|
|
- if subtle.ConstantTimeCompare([]byte(state), []byte(sess.OAuth2State())) == 0 {
|
|
|
- slog.Warn("Invalid OAuth2 state value received")
|
|
|
+ expectedState := sess.OAuth2State()
|
|
|
+ if expectedState == "" || subtle.ConstantTimeCompare([]byte(state), []byte(expectedState)) == 0 {
|
|
|
+ slog.Warn("Invalid OAuth2 state value received",
|
|
|
+ slog.String("provider", provider),
|
|
|
+ )
|
|
|
response.HTMLRedirect(w, r, h.routePath("/"))
|
|
|
return
|
|
|
}
|
jvoisin