diff --git a/app/models/discourse_single_sign_on.rb b/app/models/discourse_single_sign_on.rb index 04812f13f4e..31a4b830adb 100644 --- a/app/models/discourse_single_sign_on.rb +++ b/app/models/discourse_single_sign_on.rb @@ -50,8 +50,10 @@ class DiscourseSingleSignOn < SingleSignOn def nonce_error if Discourse.cache.read(used_nonce_key).present? "Nonce has already been used" + elsif SiteSetting.discourse_connect_csrf_protection + "Nonce is incorrect, was generated in a different browser session, or has expired" else - "Nonce has expired" + "Nonce is incorrect, or has expired" end end diff --git a/spec/models/discourse_single_sign_on_spec.rb b/spec/models/discourse_single_sign_on_spec.rb index ebc2d0861c7..fdd34c579e6 100644 --- a/spec/models/discourse_single_sign_on_spec.rb +++ b/spec/models/discourse_single_sign_on_spec.rb @@ -544,7 +544,18 @@ describe DiscourseSingleSignOn do expect(sso.nonce_valid?).to eq true Discourse.cache.delete(sso.used_nonce_key) - expect(sso.nonce_error).to eq("Nonce has expired") + expect(sso.nonce_error).to eq("Nonce is incorrect, was generated in a different browser session, or has expired") + end + + it "generates correct error message when nonce is expired, and csrf protection disabled" do + SiteSetting.discourse_connect_csrf_protection = false + _ , payload = DiscourseSingleSignOn.generate_url(secure_session: secure_session).split("?") + + sso = DiscourseSingleSignOn.parse(payload, secure_session: secure_session) + expect(sso.nonce_valid?).to eq true + + Discourse.cache.delete(sso.used_nonce_key) + expect(sso.nonce_error).to eq("Nonce is incorrect, or has expired") end end