Raise OAuthStateMissingError if OAuth state not in session

Author: davegaeddert

plain-oauth/plain/oauth/exceptions.py

@@ -5,7 +5,7 @@ class OAuthError(Exception):
 
 
 class OAuthStateMissingError(OAuthError):
-    message = "The state parameter is missing. Please try again."
+    message = "The OAuth state is missing. Your session may have expired or cookies may be blocked. Please try again."
 
 
 class OAuthStateMismatchError(OAuthError):

plain-oauth/plain/oauth/providers.py

@@ -114,6 +114,8 @@ def check_request_state(self, *, request: Request) -> None:
             raise OAuthStateMissingError() from e
 
         session = get_request_session(request)
+        if SESSION_STATE_KEY not in session:
+            raise OAuthStateMissingError()
         expected_state = session.pop(SESSION_STATE_KEY)
         session.save()  # Make sure the pop is saved (won't save on an exception)
         if not secrets.compare_digest(state, expected_state):