• Tiger's avatar
    Validate session key when authorizing with GCP to create a cluster · fc8c1a77
    Tiger authored
    It was previously possible to link a GCP account to another
    user's GitLab account by having them visit the callback URL,
    as there was no check that they were the initiator of the
    request.
    
    We now reject the callback unless the state parameter
    matches the one added to the initiating user's session.
    fc8c1a77
authorizations_controller.rb 1.05 KB