# HG changeset patch
# User bsw
# Date 1597931504 -7200
# Node ID 3bd7f57f887a78c039b0b0d58f3d14df0647245a
# Parent  71232f776a62c7ed55fec94fa62f33aca196f646
Do not create new session for invalid oauth2 session request

diff -r 71232f776a62 -r 3bd7f57f887a app/main/_filter/20_session.lua
--- a/app/main/_filter/20_session.lua	Thu Aug 20 15:48:52 2020 +0200
+++ b/app/main/_filter/20_session.lua	Thu Aug 20 15:51:44 2020 +0200
@@ -1,9 +1,10 @@
 local cookie = request.get_cookie{ name = config.cookie_name }
 local cookie_samesite = request.get_cookie{ name = config.cookie_name_samesite }
 
+local oauth2_session_request = request.get_module() == "oauth2" and request.get_view() == "session"
+
 if
-  cookie and cookie ~= cookie_samesite 
-  and not (request.get_module() == "oauth2" and request.get_view() == "session")
+  cookie and cookie ~= cookie_samesite and not oauth2_session_request
 then
   slot.put_into("error", _"Cookie error. Try restarting your web browser and login again.")  
   ui.script{ script = [[
@@ -25,7 +26,8 @@
 if cookie then
   app.session = Session:by_ident(cookie)
 end
-if not app.session then
+
+if not app.session and not oauth2_session_request then
   app.session = Session:new()
   app.session:set_cookie()
 end