fix(oauth): add error messages for failed logins

BastiDood · Aug 10, 2024 · 855d7ad · 855d7ad
1 parent 71e20bc
commit 855d7ad
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/app/src/routes/oauth/callback/+server.js b/app/src/routes/oauth/callback/+server.js
@@ -11,22 +11,22 @@ export async function GET({ fetch, locals: { db }, cookies, url: { searchParams
     const sid = cookies.get('sid');
     if (typeof sid === 'undefined') redirect(302, '/oauth/login/');
 
+    const code = searchParams.get('code');
+    if (code === null) {
+        cookies.delete('sid', { path: '/', httpOnly: true, sameSite: 'lax' });
+        error(400, 'Authorization code is missing.');
+    }
+
     const state = searchParams.get('state');
     if (state === null) {
         cookies.delete('sid', { path: '/', httpOnly: true, sameSite: 'lax' });
-        error(400);
+        error(400, 'State challenge is missing.');
     }
 
     const hashedSessionId = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(sid));
     if (Buffer.from(state, 'base64url').compare(Buffer.from(hashedSessionId)) !== 0) {
         cookies.delete('sid', { path: '/', httpOnly: true, sameSite: 'lax' });
-        error(400);
-    }
-
-    const code = searchParams.get('code');
-    if (code === null) {
-        cookies.delete('sid', { path: '/', httpOnly: true, sameSite: 'lax' });
-        error(400);
+        error(400, 'Session state mismatch detected. Please log in again or clear your browser cookies.');
     }
 
     const body = new URLSearchParams({