mirror of
https://github.com/advplyr/audiobookshelf.git
synced 2026-07-06 17:31:41 +00:00
Fix OIDC callback dead-ending on "No session"
When the express-session holding the OIDC transaction is missing at /auth/openid/callback (e.g. the in-memory session store was cleared by a server restart, or the callback page was reloaded), the server returned a bare 400 "No session" white screen and the flow could not recover until the user manually cleared their cookies. Instead, destroy the stale session and clear the connect.sid cookie so the next attempt starts clean, then redirect web clients back to /login to restart the flow. Mobile/API clients (identified by the client-supplied code_verifier) still receive the 400 status they expect.
This commit is contained in:
parent
6f03467f35
commit
b37cc9e4ce
1 changed files with 7 additions and 1 deletions
|
|
@ -385,7 +385,13 @@ class Auth {
|
|||
const sessionKey = this.oidcAuthStrategy.getStrategy()._key
|
||||
|
||||
if (!req.session[sessionKey]) {
|
||||
return res.status(400).send('No session')
|
||||
Logger.warn(`[Auth] No openid session found in callback - restarting login`)
|
||||
const isMobileFlow = !!req.query.code_verifier
|
||||
return req.session.destroy(() => {
|
||||
res.clearCookie('connect.sid')
|
||||
if (isMobileFlow) return res.status(400).send('No session')
|
||||
res.redirect(`/login?error=${encodeURIComponent('Login session expired, please try again')}&autoLaunch=0`)
|
||||
})
|
||||
}
|
||||
|
||||
// If the client sends us a code_verifier, we will tell passport to use this to send this in the token request
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue