fix(oauth): clear session when encountering errors

BastiDood · Aug 8, 2024 · 2cbcf8c · 2cbcf8c
1 parent 1e131e0
commit 2cbcf8c
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/app/src/routes/oauth/callback/+server.js b/app/src/routes/oauth/callback/+server.js
@@ -12,13 +12,22 @@ export async function GET({ fetch, locals: { db }, cookies, url: { searchParams
     if (typeof sid === 'undefined') redirect(302, '/oauth/login/');
 
     const state = searchParams.get('state');
-    if (state === null) error(400);
+    if (state === null) {
+        cookies.delete('sid', { path: '/', httpOnly: true, sameSite: 'lax' });
+        error(400);
+    }
 
     const hashedSessionId = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(sid));
-    if (Buffer.from(state, 'base64url').compare(Buffer.from(hashedSessionId)) !== 0) error(400);
+    if (Buffer.from(state, 'base64url').compare(Buffer.from(hashedSessionId)) !== 0) {
+        cookies.delete('sid', { path: '/', httpOnly: true, sameSite: 'lax' });
+        error(400);
+    }
 
     const code = searchParams.get('code');
-    if (code === null) error(400);
+    if (code === null) {
+        cookies.delete('sid', { path: '/', httpOnly: true, sameSite: 'lax' });
+        error(400);
+    }
 
     const body = new URLSearchParams({
         code: parse(AuthorizationCode, code),