magfest · CarensirA-MF · Apr 8, 2026 · Apr 8, 2026
diff --git a/app/__init__.py b/app/__init__.py
@@ -155,7 +155,7 @@ def create_app() -> Flask:
     app.config["SLACK_BOT_TOKEN"] = os.environ.get("SLACK_BOT_TOKEN")
     app.config["SLACK_CHANNEL_ID"] = os.environ.get("SLACK_CHANNEL_ID")
 
-    # --- Proxy Fix for AWS AppRunner ---
+    # --- Proxy Fix for reverse proxies (Heroku, AWS, etc.) ---
     if os.environ.get("BEHIND_PROXY", "false").lower() == "true":
         from werkzeug.middleware.proxy_fix import ProxyFix
         app.wsgi_app = ProxyFix(

diff --git a/app/routes/auth.py b/app/routes/auth.py
@@ -12,6 +12,7 @@
 
 from flask import Blueprint, redirect, url_for, session, flash, current_app, request, render_template
 from authlib.integrations.flask_client import OAuth
+from authlib.integrations.base_client import MismatchingStateError
 
 from app import db
 
@@ -171,6 +172,11 @@ def _handle_google_callback():
 
     try:
         token = oauth.google.authorize_access_token()
+    except MismatchingStateError:
+        current_app.logger.info('Google state mismatch — stale session, retrying OAuth')
+        log_login_failure("stale_session", provider="google", severity="INFO")
+        db.session.commit()
+        return redirect(url_for('auth.login'))
     except Exception as e:
         current_app.logger.error(f'Google OAuth error: {e}')
         log_login_failure("oauth_error", provider="google")
@@ -217,6 +223,14 @@ def _handle_keycloak_callback():
 
     try:
         token = oauth.keycloak.authorize_access_token()
+    except MismatchingStateError:
+        # Stale session: user's Flask session expired but Keycloak SSO session
+        # was still active, so the callback state doesn't match. This is benign
+        # — just re-initiate the OAuth flow and it will succeed on the retry.
+        current_app.logger.info('Keycloak state mismatch — stale session, retrying OAuth')
+        log_login_failure("stale_session", provider="keycloak", severity="INFO")
+        db.session.commit()
+        return redirect(url_for('auth.login'))
     except Exception as e:
         current_app.logger.error(f'Keycloak OAuth error: {e}')
         log_login_failure("oauth_error", provider="keycloak")

diff --git a/app/security_audit.py b/app/security_audit.py
@@ -105,18 +105,20 @@ def log_login_success(user_id: str, provider: str, email: str) -> SecurityAuditL
     )
 
 
-def log_login_failure(reason: str, email: str = None, provider: str = None) -> SecurityAuditLog:
+def log_login_failure(reason: str, email: str = None, provider: str = None,
+                      severity: str = SEVERITY_WARNING) -> SecurityAuditLog:
     """Log failed authentication attempt.
 
     Args:
-        reason: Why the login failed (e.g., 'domain_restricted', 'oauth_error')
+        reason: Why the login failed (e.g., 'domain_restricted', 'oauth_error', 'stale_session')
         email: Email that attempted to log in (if known)
         provider: OAuth provider that was used (if known)
+        severity: Severity level (default WARNING, use INFO for benign failures like stale_session)
     """
     return log_security_event(
         EVENT_LOGIN_FAILURE,
         CATEGORY_AUTH,
-        SEVERITY_WARNING,
+        severity,
         user_id=None,
         details={"reason": reason, "email": email, "provider": provider},
     )