Experiment with state mismatch

artursmirnov · artursmirnov · commit 28956b86816d · 2020-07-10T18:27:59.000Z
diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
@@ -166,7 +166,7 @@ def handshake
           if params[:code]
             unless state_ok?(params[:state])
               log_with_request_id("[handshake] Handshake failed (state mismatch)")
-              halt 400, 'state mismatch'
+              handle_invalid_response
             end
 
             endpoint.path          = config[:access_token_path]
@@ -196,7 +196,7 @@ def remote_vcs_user
         def vcs_handshake
           if params[:code]
             unless state_ok?(params[:state], params[:provider])
-              halt 400, 'state mismatch'
+              handle_invalid_response
             end
 
             vcs_data = remote_vcs_user.authenticate(
@@ -259,6 +259,19 @@ def cookie_name(provider = :github)
 
         # VCS HANDSHAKE END
 
+        def clear_state_cookies
+          response.delete_cookie cookie_name(:github)
+          response.delete_cookie cookie_name(:gitlab)
+          response.delete_cookie cookie_name(:bitbucket)
+          response.delete_cookie cookie_name(:assembla)
+        end
+
+        def handle_invalid_response
+          clear_state_cookies
+          back_url = request.get_header('Referer') || Travis.config.host
+          response.redirect(back_url)
+        end
+
         def create_state
           state = SecureRandom.urlsafe_base64(16)
           redis.sadd('github:states', state)
diff --git a/spec/unit/endpoint/authorization_spec.rb b/spec/unit/endpoint/authorization_spec.rb
@@ -51,7 +51,7 @@
       it 'does not succeed if state cookie mismatches' do
         Travis.redis.sadd('github:states', 'github-state')
         response = get '/auth/handshake?state=github-state&code=oauth-code'
-        expect(response.status).to eq(400)
+        expect(response.status).to eq(302)
         expect(response.body).to eq("state mismatch")
         Travis.redis.srem('github:states', 'github-state')
       end
