From fd59e2a9a42b787a8803ccf18a5d1e56d4dbcbe7 Mon Sep 17 00:00:00 2001
From: Edward Betts <edward@4angle.com>
Date: Thu, 14 May 2026 10:14:59 +0100
Subject: [PATCH] Guard oauth callback against missing session tokens

---
 web_view.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/web_view.py b/web_view.py
index ae2564d..7895c8d 100755
--- a/web_view.py
+++ b/web_view.py
@@ -222,13 +222,16 @@ def start_oauth() -> Response:
 def oauth_callback() -> werkzeug.wrappers.response.Response:
     """Oauth callback."""
     client_key = app.config["CLIENT_KEY"]
+    if "owner_key" not in flask.session or "owner_secret" not in flask.session:
+        return flask.redirect(flask.url_for("start_oauth"))
+
     client_secret = app.config["CLIENT_SECRET"]
 
     oauth = OAuth1Session(
         client_key,
         client_secret=client_secret,
-        resource_owner_key=flask.session.get("owner_key"),
-        resource_owner_secret=flask.session.get("owner_secret"),
+        resource_owner_key=flask.session["owner_key"],
+        resource_owner_secret=flask.session["owner_secret"],
     )
 
     oauth_response = oauth.parse_authorization_response(flask.request.url)