Fix login (#5955)

fix https://github.com/FreshRSS/FreshRSS/issues/5953 Regression due to https://github.com/FreshRSS/FreshRSS/pull/5946
author: Alexandre Alapetite <alexandre@alapetite.fr> 2023-12-20 16:36:55 +0100
committer: GitHub <noreply@github.com> 2023-12-20 16:36:55 +0100
commit: 79604aa4b3051f083d1734bd9e82c6a89d785c5a (patch)
tree: b0b239c679191cfc6768eb437e851ab26679e329 /app/Controllers/authController.php
parent: a80a5f48a16e7d232168a7aaa68e9a1804235ce1 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 85a722761..ac3fcb0be 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -128,6 +128,15 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 			$username = Minz_Request::paramString('username');
 			$challenge = Minz_Request::paramString('challenge');
 
+			if ($nonce === '') {
+				Minz_Log::warning("Invalid session during login for user={$username}, nonce={$nonce}");
+				header('HTTP/1.1 403 Forbidden');
+				Minz_Session::_param('POST_to_GET', true);	//Prevent infinite internal redirect
+				Minz_Request::setBadNotification(_t('install.session.nok'));
+				Minz_Request::forward(['c' => 'auth', 'a' => 'login'], false);
+				return;
+			}
+
 			usleep(random_int(100, 10000));	//Primitive mitigation of timing attacks, in μs
 
 			FreshRSS_Context::initUser($username);
author	Alexandre Alapetite <alexandre@alapetite.fr>	2023-12-20 16:36:55 +0100
committer	GitHub <noreply@github.com>	2023-12-20 16:36:55 +0100
commit	79604aa4b3051f083d1734bd9e82c6a89d785c5a (patch)
tree	b0b239c679191cfc6768eb437e851ab26679e329 /app/Controllers/authController.php
parent	a80a5f48a16e7d232168a7aaa68e9a1804235ce1 (diff)