From c3aabd57ea50c29b28e0c32b9257a838c1fde483 Mon Sep 17 00:00:00 2001 From: Kegan Dougal Date: Thu, 18 Aug 2016 10:27:19 +0100 Subject: [PATCH] Check for a valid session before exchanging codes --- src/github.com/matrix-org/go-neb/realms/github/github.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/github.com/matrix-org/go-neb/realms/github/github.go b/src/github.com/matrix-org/go-neb/realms/github/github.go index 1dbc812..30028a2 100644 --- a/src/github.com/matrix-org/go-neb/realms/github/github.go +++ b/src/github.com/matrix-org/go-neb/realms/github/github.go @@ -172,6 +172,11 @@ func (r *GithubRealm) OnReceiveRedirect(w http.ResponseWriter, req *http.Request } logger.WithField("user_id", ghSession.UserID()).Print("Mapped redirect to user") + if ghSession.AccessToken != "" && ghSession.Scopes != "" { + failWith(logger, w, 400, "You have already authenticated with Github", nil) + return + } + // exchange code for access_token res, err := http.PostForm("https://github.com/login/oauth/access_token", url.Values{"client_id": {r.ClientID}, "client_secret": {r.ClientSecret}, "code": {code}})