oauth: raise error if session state is missing

ref #9476
8 years ago · 88f55b01d8
parent 0848ba2e9c
commit 88f55b01d8
1 changed files with 6 additions and 2 deletions
--- a/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
@ -71,8 +71,12 @@ func OAuthLogin(ctx *middleware.Context) {
 		return
 	}

-	// verify state string
-	savedState := ctx.Session.Get(middleware.SESS_KEY_OAUTH_STATE).(string)
+	savedState, ok := ctx.Session.Get(middleware.SESS_KEY_OAUTH_STATE).(string)
+	if !ok {
+		ctx.Handle(500, "login.OAuthLogin(missing saved state)", nil)
+		return
+	}
+
 	queryState := ctx.Query("state")
 	if savedState != queryState {
 		ctx.Handle(500, "login.OAuthLogin(state mismatch)", nil)