diff --git a/src/main/java/com/auth0/RequestProcessor.java b/src/main/java/com/auth0/RequestProcessor.java index 6163ca3..6796982 100644 --- a/src/main/java/com/auth0/RequestProcessor.java +++ b/src/main/java/com/auth0/RequestProcessor.java @@ -292,8 +292,17 @@ private void assertNoError(HttpServletRequest request) throws InvalidRequestExce * @throws InvalidRequestException if the request contains a different state from the expected one */ private void assertValidState(HttpServletRequest request, HttpServletResponse response) throws InvalidRequestException { + // TODO in v2: + // - only store state/nonce in cookies, remove session storage + // - create specific exception classes for various state validation failures (missing from auth response, missing + // state cookie, mismatch) + String stateFromRequest = request.getParameter(KEY_STATE); + if (stateFromRequest == null) { + throw new InvalidRequestException(INVALID_STATE_ERROR, "The received state doesn't match the expected one. No state parameter was found on the authorization response."); + } + // If response is null, check the Session. // This can happen when the deprecated handle method that only takes the request parameter is called if (response == null) { @@ -306,6 +315,9 @@ private void assertValidState(HttpServletRequest request, HttpServletResponse re // Just in case state was stored in Session by building auth URL with deprecated method, but then called the // supported handle method with the request and response if (cookieState == null) { + if (SessionUtils.get(request, StorageUtils.STATE_KEY) == null) { + throw new InvalidRequestException(INVALID_STATE_ERROR, "The received state doesn't match the expected one. No state cookie or state session attribute found. Check that you are using non-deprecated methods and that cookies are not being removed on the server."); + } checkSessionState(request, stateFromRequest); return; }