remove the explicit abort 500 in callback when states do not match (#366

)
OWASP · Sep 11, 2023 · 5787724 · 5787724
1 parent 5b13a9a
commit 5787724
Showing 1 changed file with 2 additions and 4 deletions.
diff --git a/application/web/web_main.py b/application/web/web_main.py
@@ -454,10 +454,8 @@ def callback():
         flow_instance.flow.fetch_token(authorization_response=request.url)
     except oauthlib.oauth2.rfc6749.errors.MismatchingStateError as mse:
         return redirect("/chatbot")
-    if not session.get("state"):
-        redirect(url_for("web.login"))
-    if session["state"] != request.args["state"]:
-        abort(500)  # State does not match!
+    if not session.get("state") or session.get("state") != request.args["state"]:
+        redirect(url_for("web.login"))  # State does not match!
     credentials = flow_instance.flow.credentials
     token_request = google.auth.transport.requests.Request()
     id_info = id_token.verify_oauth2_token(