From 79604aa4b3051f083d1734bd9e82c6a89d785c5a Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Wed, 20 Dec 2023 16:36:55 +0100
Subject: Fix login (#5955)

fix https://github.com/FreshRSS/FreshRSS/issues/5953
Regression due to https://github.com/FreshRSS/FreshRSS/pull/5946
---
 app/Controllers/authController.php | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'app/Controllers/authController.php')

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 85a722761..ac3fcb0be 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -128,6 +128,15 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 			$username = Minz_Request::paramString('username');
 			$challenge = Minz_Request::paramString('challenge');
 
+			if ($nonce === '') {
+				Minz_Log::warning("Invalid session during login for user={$username}, nonce={$nonce}");
+				header('HTTP/1.1 403 Forbidden');
+				Minz_Session::_param('POST_to_GET', true);	//Prevent infinite internal redirect
+				Minz_Request::setBadNotification(_t('install.session.nok'));
+				Minz_Request::forward(['c' => 'auth', 'a' => 'login'], false);
+				return;
+			}
+
 			usleep(random_int(100, 10000));	//Primitive mitigation of timing attacks, in μs
 
 			FreshRSS_Context::initUser($username);
-- 
cgit v1.2.3