From 8106b6985620956ce8cfa4126143a95ca87ea976 Mon Sep 17 00:00:00 2001 From: tobi <31960611+tsmethurst@users.noreply.github.com> Date: Thu, 28 Jul 2022 16:43:27 +0200 Subject: [feature] add 'state' oauth2 param to /oauth/authorize (#730) --- internal/api/client/auth/callback.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'internal/api/client/auth/callback.go') diff --git a/internal/api/client/auth/callback.go b/internal/api/client/auth/callback.go index 34a4995c8..96a73a52f 100644 --- a/internal/api/client/auth/callback.go +++ b/internal/api/client/auth/callback.go @@ -45,26 +45,26 @@ func (m *Module) CallbackGETHandler(c *gin.Context) { // check the query vs session state parameter to mitigate csrf // https://auth0.com/docs/secure/attack-protection/state-parameters - state := c.Query(callbackStateParam) - if state == "" { + returnedInternalState := c.Query(callbackStateParam) + if returnedInternalState == "" { m.clearSession(s) err := fmt.Errorf("%s parameter not found on callback query", callbackStateParam) api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet) return } - savedStateI := s.Get(sessionState) - savedState, ok := savedStateI.(string) + savedInternalStateI := s.Get(sessionInternalState) + savedInternalState, ok := savedInternalStateI.(string) if !ok { m.clearSession(s) - err := fmt.Errorf("key %s was not found in session", sessionState) + err := fmt.Errorf("key %s was not found in session", sessionInternalState) api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet) return } - if state != savedState { + if returnedInternalState != savedInternalState { m.clearSession(s) - err := errors.New("mismatch between query state and session state") + err := errors.New("mismatch between callback state and saved state") api.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGet) return } -- cgit v1.2.3