From 777f1f0f47ecce5ccba7c269f461244a887e4e55 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Thu, 4 May 2017 15:35:03 -0400
Subject: [PATCH] FIX: Return a 404 if the auth session is not present

---
 app/controllers/users/omniauth_callbacks_controller.rb | 2 ++
 spec/integration/omniauth_callbacks_spec.rb            | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index d7097eb434c..8809e94d4c0 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -31,6 +31,8 @@ class Users::OmniauthCallbacksController < ApplicationController
 
   def complete
     auth = request.env["omniauth.auth"]
+    raise Discourse::NotFound unless request.env["omniauth.auth"]
+
     auth[:session] = session
 
     authenticator = self.class.find_authenticator(params[:provider])
diff --git a/spec/integration/omniauth_callbacks_spec.rb b/spec/integration/omniauth_callbacks_spec.rb
index 7549e90f776..b57d4eda2cc 100644
--- a/spec/integration/omniauth_callbacks_spec.rb
+++ b/spec/integration/omniauth_callbacks_spec.rb
@@ -16,6 +16,13 @@ RSpec.describe "OmniAuth Callbacks" do
       SiteSetting.enable_google_oauth2_logins = true
     end
 
+    context "without an `omniauth.auth` env" do
+      it "should return a 404" do
+        get "/auth/eviltrout/callback"
+        expect(response).not_to be_success
+      end
+    end
+
     describe 'when user has been verified' do
       before do
         OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(