Don't crash when oauth provider does not include state

This should normally never happen, and should cause an error. But it
should cause an error saying "invalid state received", not an error
saying kaboom.

diff --git a/pgweb/account/oauthclient.py b/pgweb/account/oauthclient.py
index ae17bbdd5bb77379c4b44c6a0c20e9dfb0d9736b..cdb5f7ee562b75dbec1f32fa2c66e12970d567e8 100644 (file)
--- a/pgweb/account/oauthclient.py
+++ b/pgweb/account/oauthclient.py
@@ -26,9 +26,9 @@ def _login_oauth(request, provider, authurl, tokenurl, scope, authdatafunc):
 
                # Receiving a login request from the provider, so validate data
                # and log the user in.
-               if request.GET['state'] != request.session.pop('oauth_state'):
+               if request.GET.get('state', '') != request.session.pop('oauth_state'):
                        log.warning("Invalid state received in {0} oauth2 step from {1}".format(provider, get_client_ip(request)))
-                       raise Exception("Invalid OAuth state received")
+                       return HttpResponse("Invalid OAuth state received")
 
                token = oa.fetch_token(tokenurl,
                                                           client_secret=client_secret,