Added CSRF logging in mismatch case

Valentin Brückel · Valentin Brückel · commit 2ff964d0befb · 2025-05-07T17:16:28.000+02:00
diff --git a/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/rf/OAuth2CallbackRequestHandler.java b/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/rf/OAuth2CallbackRequestHandler.java
@@ -35,6 +35,7 @@
 import static com.predic8.membrane.core.Constants.*;
 import static com.predic8.membrane.core.http.Header.*;
 import static com.predic8.membrane.core.http.MimeType.*;
+import static com.predic8.membrane.core.interceptor.oauth2.ParamNames.STATE;
 import static com.predic8.membrane.core.interceptor.oauth2client.rf.JsonUtils.isJson;
 import static com.predic8.membrane.core.interceptor.oauth2client.rf.StateManager.*;
 import static com.predic8.membrane.core.interceptor.oauth2client.temp.OAuth2Constants.*;
@@ -100,7 +101,8 @@ public boolean handleRequest(Exchange exc, Session session) throws Exception {
                             "MEMBRANE_CSRF_TOKEN_MISSING_IN_SESSION",
                             MEMBRANE_CSRF_TOKEN_MISSING_IN_SESSION,
                             Response.badRequest().body(MEMBRANE_CSRF_TOKEN_MISSING_IN_SESSION).build());
-                }else {
+                } else {
+                    log.warn("Token from Session: '{}', Token from URI: '{}'", session.get(STATE).toString(), stateFromUri);
                     throw new OAuth2Exception(
                             "MEMBRANE_CSRF_TOKEN_MISMATCH",
                             MEMBRANE_CSRF_TOKEN_MISMATCH,
