preserve CSRF protection

Author: denuoweb

app/auth.py

@@ -408,6 +408,14 @@ def google_login():
 
     # We generate our own state so we can key Redis storage on it reliably
     state = secrets.token_urlsafe(32)
+    session["google_oauth_state"] = state
+
+    # NEW: also persist the state server-side so we can validate without session
+    try:
+        r = _redis_client()
+        r.setex(f"oidc:state:{state}", 600, "1")
+    except Exception as e:
+        current_app.logger.warning("Failed to cache OAuth state in Redis: %s", e)
 
     oauth = OAuth2Session(
         client_id,
@@ -455,6 +463,20 @@ def google_callback():
     # --- CSRF (state) check ---
     state = request.args.get("state")
     expected_state = session.pop("google_oauth_state", None)
+
+    # NEW: accept state if present in Redis (one-time)
+    state_ok = False
+    try:
+        r = _redis_client()
+        if r.get(f"oidc:state:{state}"):
+            state_ok = True
+            r.delete(f"oidc:state:{state}")  # one-time use
+    except Exception as e:
+        current_app.logger.warning("Could not read OAuth state from Redis: %s", e)
+
+    if not state or not (state == expected_state or state_ok):
+        flash("State mismatch. Authentication failed.", "danger")
+        return redirect(url_for("auth.login"))
     if not state or state != expected_state:
         flash("State mismatch. Authentication failed.", "danger")
         return redirect(url_for("auth.login"))