From 2cbcf8c7eb744027335620fbeb1da4e54fc1f3fe Mon Sep 17 00:00:00 2001
From: Basti Ortiz <39114273+BastiDood@users.noreply.github.com>
Date: Thu, 8 Aug 2024 12:04:52 +0800
Subject: [PATCH] fix(oauth): clear session when encountering errors

---
 app/src/routes/oauth/callback/+server.js | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/app/src/routes/oauth/callback/+server.js b/app/src/routes/oauth/callback/+server.js
index 6969c53..4734678 100644
--- a/app/src/routes/oauth/callback/+server.js
+++ b/app/src/routes/oauth/callback/+server.js
@@ -12,13 +12,22 @@ export async function GET({ fetch, locals: { db }, cookies, url: { searchParams
     if (typeof sid === 'undefined') redirect(302, '/oauth/login/');
 
     const state = searchParams.get('state');
-    if (state === null) error(400);
+    if (state === null) {
+        cookies.delete('sid', { path: '/', httpOnly: true, sameSite: 'lax' });
+        error(400);
+    }
 
     const hashedSessionId = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(sid));
-    if (Buffer.from(state, 'base64url').compare(Buffer.from(hashedSessionId)) !== 0) error(400);
+    if (Buffer.from(state, 'base64url').compare(Buffer.from(hashedSessionId)) !== 0) {
+        cookies.delete('sid', { path: '/', httpOnly: true, sameSite: 'lax' });
+        error(400);
+    }
 
     const code = searchParams.get('code');
-    if (code === null) error(400);
+    if (code === null) {
+        cookies.delete('sid', { path: '/', httpOnly: true, sameSite: 'lax' });
+        error(400);
+    }
 
     const body = new URLSearchParams({
         code: parse(AuthorizationCode, code),