Fix: use state param with oauth (#8636)

2025-09-16 21:55:37 -05:00 · 2025-01-07 19:48:36 -08:00
parent 0ab21b6fc5
commit a899ff16e3
4 changed files with 65 additions and 6 deletions
--- a/src/paperless_mail/views.py
+++ b/src/paperless_mail/views.py
@@ -128,7 +128,16 @@ class OauthCallbackView(GenericAPIView):
            )
            return HttpResponseBadRequest("Invalid request, see logs for more detail")

-        oauth_manager = PaperlessMailOAuth2Manager()
+        oauth_manager = PaperlessMailOAuth2Manager(
+            state=request.session.get("oauth_state"),
+        )
+
+        state = request.query_params.get("state", "")
+        if not oauth_manager.validate_state(state):
+            logger.error(
+                f"Invalid oauth callback request received state: {state}, expected: {oauth_manager.state}",
+            )
+            return HttpResponseBadRequest("Invalid request, see logs for more detail")

        try:
            if scope is not None and "google" in scope: