From 88f55b01d81e304c194101ca8e9bfe1ced5d305e Mon Sep 17 00:00:00 2001
From: bergquist <carl.bergquist@gmail.com>
Date: Thu, 12 Oct 2017 15:24:20 +0200
Subject: [PATCH] oauth: raise error if session state is missing

ref #9476
---
 pkg/api/login_oauth.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
index e1aa17bcd71..847f09f0eb8 100644
--- a/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
@@ -71,8 +71,12 @@ func OAuthLogin(ctx *middleware.Context) {
 		return
 	}
 
-	// verify state string
-	savedState := ctx.Session.Get(middleware.SESS_KEY_OAUTH_STATE).(string)
+	savedState, ok := ctx.Session.Get(middleware.SESS_KEY_OAUTH_STATE).(string)
+	if !ok {
+		ctx.Handle(500, "login.OAuthLogin(missing saved state)", nil)
+		return
+	}
+
 	queryState := ctx.Query("state")
 	if savedState != queryState {
 		ctx.Handle(500, "login.OAuthLogin(state mismatch)", nil)