From c28b14e8411e2e593f280b2c80b6df715b52f415 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Thu, 31 Aug 2017 09:36:29 +0200
Subject: [PATCH] Don't crash when oauth provider does not include state

This should normally never happen, and should cause an error. But it
should cause an error saying "invalid state received", not an error
saying kaboom.
---
 pgweb/account/oauthclient.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pgweb/account/oauthclient.py b/pgweb/account/oauthclient.py
index ae17bbdd..cdb5f7ee 100644
--- a/pgweb/account/oauthclient.py
+++ b/pgweb/account/oauthclient.py
@@ -26,9 +26,9 @@ def _login_oauth(request, provider, authurl, tokenurl, scope, authdatafunc):
 
 		# Receiving a login request from the provider, so validate data
 		# and log the user in.
-		if request.GET['state'] != request.session.pop('oauth_state'):
+		if request.GET.get('state', '') != request.session.pop('oauth_state'):
 			log.warning("Invalid state received in {0} oauth2 step from {1}".format(provider, get_client_ip(request)))
-			raise Exception("Invalid OAuth state received")
+			return HttpResponse("Invalid OAuth state received")
 
 		token = oa.fetch_token(tokenurl,
 							   client_secret=client_secret,
-- 
2.39.5