Let authentication fail when session validation fails (fixes #1396) (#1433)

* Error page for session validation failure * Fix existing tests * Add test-case for session validation failure * Simplify test * Add changelog entry for PR Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2025-06-15 00:15:00 +02:00 · 2021-11-12 19:36:29 +01:00
parent 9caf8c7040
commit 2c668a52d4
3 changed files with 33 additions and 3 deletions
--- a/oauthproxy.go
+++ b/oauthproxy.go
@ -755,7 +755,11 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
 	}

 	csrf.SetSessionNonce(session)
-	p.provider.ValidateSession(req.Context(), session)
+	if !p.provider.ValidateSession(req.Context(), session) {
+		logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Session validation failed: %s", session)
+		p.ErrorPage(rw, req, http.StatusForbidden, "Session validation failed")
+		return
+	}

 	if !p.redirectValidator.IsValidRedirect(appRedirect) {
 		appRedirect = "/"