From c7f30bdfec6769d25fa87f3aaf7982a5107c0f0f Mon Sep 17 00:00:00 2001
From: Simon Detheridge <gh2k@users.noreply.github.com>
Date: Mon, 11 Feb 2019 11:23:53 +0000
Subject: [PATCH] Merge pull request #1494 from
 sharelatex/spd-overleaf-v1-oauth-state

Use 'state' parameter to prefent CSRF attacks when authenticating with v1

GitOrigin-RevId: bf5f8ddffa391d8f3ca84d3588df906b08eb018d
---
 .../Features/Authentication/AuthenticationController.coffee      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee b/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee
index 45c92c250d..9a440fad8e 100644
--- a/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee
+++ b/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee
@@ -75,6 +75,7 @@ module.exports = AuthenticationController =
 		)(req, res, next)
 
 	finishLogin: (user, req, res, next) ->
+		return res.redirect('/login') if user == false # OAuth2 'state' mismatch
 		redir = AuthenticationController._getRedirectFromSession(req) || "/project"
 		AuthenticationController._loginAsyncHandlers(req, user)
 		AuthenticationController.afterLoginSessionSetup req, user, (err) ->