DEV: Update DiscourseConnect nonce errors to be more descriptive (#14858)

This commit is contained in:
David Taylor 2021-11-09 17:39:05 +00:00 committed by GitHub
parent 769d53ff09
commit 5ac10e2e79
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 2 deletions

View File

@ -50,8 +50,10 @@ class DiscourseSingleSignOn < SingleSignOn
def nonce_error
if Discourse.cache.read(used_nonce_key).present?
"Nonce has already been used"
elsif SiteSetting.discourse_connect_csrf_protection
"Nonce is incorrect, was generated in a different browser session, or has expired"
else
"Nonce has expired"
"Nonce is incorrect, or has expired"
end
end

View File

@ -544,7 +544,18 @@ describe DiscourseSingleSignOn do
expect(sso.nonce_valid?).to eq true
Discourse.cache.delete(sso.used_nonce_key)
expect(sso.nonce_error).to eq("Nonce has expired")
expect(sso.nonce_error).to eq("Nonce is incorrect, was generated in a different browser session, or has expired")
end
it "generates correct error message when nonce is expired, and csrf protection disabled" do
SiteSetting.discourse_connect_csrf_protection = false
_ , payload = DiscourseSingleSignOn.generate_url(secure_session: secure_session).split("?")
sso = DiscourseSingleSignOn.parse(payload, secure_session: secure_session)
expect(sso.nonce_valid?).to eq true
Discourse.cache.delete(sso.used_nonce_key)
expect(sso.nonce_error).to eq("Nonce is incorrect, or has expired")
end
end