Merge pull request #1494 from sharelatex/spd-overleaf-v1-oauth-state

Use 'state' parameter to prefent CSRF attacks when authenticating with v1

GitOrigin-RevId: bf5f8ddffa391d8f3ca84d3588df906b08eb018d
This commit is contained in:
Simon Detheridge 2019-02-11 11:23:53 +00:00 committed by sharelatex
parent ea807d053e
commit c7f30bdfec

View file

@ -75,6 +75,7 @@ module.exports = AuthenticationController =
)(req, res, next) )(req, res, next)
finishLogin: (user, req, res, next) -> finishLogin: (user, req, res, next) ->
return res.redirect('/login') if user == false # OAuth2 'state' mismatch
redir = AuthenticationController._getRedirectFromSession(req) || "/project" redir = AuthenticationController._getRedirectFromSession(req) || "/project"
AuthenticationController._loginAsyncHandlers(req, user) AuthenticationController._loginAsyncHandlers(req, user)
AuthenticationController.afterLoginSessionSetup req, user, (err) -> AuthenticationController.afterLoginSessionSetup req, user, (err) ->