search

redmix0901 / oauth2-client-sso

5 stars 1 forks source link

Should check for specific route and session oauth2_auth_state #2

Open nguyenduy4994 opened 1 year ago

nguyenduy4994 commented 1 year ago

In OAuth2SsoMiddleware@handle, we should check session "oauth2_auth_state" is ok. But we need to specific routes to allow by pass if we already have session "oauth2_auth_state"

Reproduce:

  1. Enter route with middleware OAuth2SsoMiddleware, wait for redirect to authentication server
  2. Close tab only (keep session open for current website)
  3. Open route in step 1 in new tab, now middleware OAuth2SsoMiddleware will bypass our request because we already have session "oauth2_auth_state"
nguyenduy4994 commented 1 year ago

Actually, do we need to check session "oauth2_auth_state"? Looks like no oauth2 routes will use this middleware