fix: Discord OAuth CSRF cookie SameSite=None for cross-site callback

- Changed __DiscordOAuthState cookie from SameSite=Strict to SameSite=None because Discord redirects from discord.com (cross-site) and Strict prevents the cookie from being sent on the callback request. - Added logging for CSRF validation failure to aid future diagnostics. Bump version → 2.8.1 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix: add Discord OAuth token exchange logging for production diagnostics
2026-05-25 13:08:14 +03:00 · 2026-05-25 12:46:56 +03:00
8 changed files with 31 additions and 23 deletions
@@ -6,7 +6,7 @@ on:
      - main 

 env:
-  VERSION: 2.8.0
+  VERSION: 2.8.1

 jobs:
  # ЧАСТЬ 1: Собираем образы и кладем в Gitea (чтобы делиться с ребятами)
@@ -1,6 +1,6 @@
 <Project>
  <PropertyGroup>
-    <Version>2.8.0</Version>
+    <Version>2.8.1</Version>
    <TargetFramework>net10.0</TargetFramework>
    <LangVersion>preview</LangVersion>
    <Nullable>enable</Nullable>
@@ -49,7 +49,7 @@ services:
        crond -f

  bot:
-    image: git.codeanddice.ru/toutsu/gmrelay-bot:2.8.0
+    image: git.codeanddice.ru/toutsu/gmrelay-bot:2.8.1
    restart: always
    depends_on:
      db:
@@ -67,7 +67,7 @@ services:
      retries: 3

  discord:
-    image: git.codeanddice.ru/toutsu/gmrelay-discord-bot:2.8.0
+    image: git.codeanddice.ru/toutsu/gmrelay-discord-bot:2.8.1
    restart: always
    depends_on:
      db:
@@ -84,7 +84,7 @@ services:
      retries: 3

  web:
-    image: git.codeanddice.ru/toutsu/gmrelay-web:2.8.0
+    image: git.codeanddice.ru/toutsu/gmrelay-web:2.8.1
    restart: always
    depends_on:
      db:
@@ -66,7 +66,7 @@
                    </button>
                </form>

-                <div class="nav-version">v2.8.0</div>
+                <div class="nav-version">v2.8.1</div>
            </div>
        </Authorized>
        <NotAuthorized>
@@ -192,7 +192,7 @@ app.MapGet("/auth/discord", (HttpContext context, DiscordAuthService discordAuth
    {
        HttpOnly = true,
        Secure = true,
-        SameSite = SameSiteMode.Strict,
+        SameSite = SameSiteMode.None,
        MaxAge = TimeSpan.FromMinutes(5)
    });
    var url = discordAuth.BuildAuthorizeUrl(state);
@@ -202,7 +202,8 @@ app.MapGet("/auth/discord", (HttpContext context, DiscordAuthService discordAuth
 app.MapGet("/auth/discord/callback", async (
    HttpContext context,
    DiscordAuthService discordAuth,
-    ISessionStore sessionStore) =>
+    ISessionStore sessionStore,
+    ILogger<Program> logger) =>
 {
    var code = context.Request.Query["code"].ToString();
    var state = context.Request.Query["state"].ToString();
@@ -216,6 +217,8 @@ app.MapGet("/auth/discord/callback", async (
            System.Text.Encoding.UTF8.GetBytes(state),
            System.Text.Encoding.UTF8.GetBytes(storedState ?? string.Empty)))
    {
+        logger.LogWarning("Discord OAuth CSRF validation failed. code_present={CodePresent}, state_present={StatePresent}, stored_state_present={StoredStatePresent}",
+            !string.IsNullOrWhiteSpace(code), !string.IsNullOrWhiteSpace(state), !string.IsNullOrWhiteSpace(storedState));
        return Results.Redirect("/login?error=auth_failed");
    }

@@ -5,7 +5,7 @@ using System.Text.Json.Serialization;

 namespace GmRelay.Web.Services;

-public sealed class DiscordAuthService(IHttpClientFactory httpClientFactory, IConfiguration configuration)
+public sealed class DiscordAuthService(IHttpClientFactory httpClientFactory, IConfiguration configuration, ILogger<DiscordAuthService> logger)
 {
    private readonly DiscordOAuthOptions _options = configuration.GetSection("Discord").Get<DiscordOAuthOptions>() ?? new DiscordOAuthOptions();

@@ -40,10 +40,14 @@ public sealed class DiscordAuthService(IHttpClientFactory httpClientFactory, ICo
        });

        var response = await client.PostAsync("https://discord.com/api/oauth2/token", content);
-        if (!response.IsSuccessStatusCode)
-            return null;
-
        var json = await response.Content.ReadAsStringAsync();
+        if (!response.IsSuccessStatusCode)
+        {
+            logger.LogError("Discord token exchange failed: {StatusCode} {Body}. client_id={ClientId}, redirect_uri={RedirectUri}",
+                (int)response.StatusCode, json, _options.ClientId, _options.RedirectUri);
+            return null;
+        }
+
        return JsonSerializer.Deserialize<DiscordTokenResponse>(json);
    }

@@ -61,7 +61,7 @@ public sealed class DiscordProjectStructureTests
        var prChecks = File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "pr-checks.yml"));
        var deploy = File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml"));

-        Assert.Contains("gmrelay-discord-bot:2.8.0", compose);
+        Assert.Contains("gmrelay-discord-bot:2.8.1", compose);
        Assert.Contains("Discord__Token=${DISCORD_BOT_TOKEN:?Set DISCORD_BOT_TOKEN in .env}", compose);
        Assert.Contains("src/GmRelay.DiscordBot/Dockerfile", deploy);
        Assert.Contains("DISCORD_BOT_TOKEN", deploy);
@@ -75,13 +75,13 @@ public sealed class DiscordProjectStructureTests
    {
        var repoRoot = GetRepoRoot();

-        Assert.Contains("<Version>2.8.0</Version>", File.ReadAllText(Path.Combine(repoRoot, "Directory.Build.props")));
-        Assert.Contains("VERSION: 2.8.0", File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml")));
-        Assert.Contains("gmrelay-bot:2.8.0", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
-        Assert.Contains("gmrelay-web:2.8.0", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
-        Assert.Contains("gmrelay-discord-bot:2.8.0", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("<Version>2.8.1</Version>", File.ReadAllText(Path.Combine(repoRoot, "Directory.Build.props")));
+        Assert.Contains("VERSION: 2.8.1", File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml")));
+        Assert.Contains("gmrelay-bot:2.8.1", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("gmrelay-web:2.8.1", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("gmrelay-discord-bot:2.8.1", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
        Assert.Contains(
-            "v2.8.0",
+            "v2.8.1",
            File.ReadAllText(Path.Combine(repoRoot, "src", "GmRelay.Web", "Components", "Layout", "NavMenu.razor")));
    }

@@ -3,6 +3,7 @@ using System.Text.Json;
 using GmRelay.Web;
 using GmRelay.Web.Services;
 using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging.Abstractions;

 namespace GmRelay.Bot.Tests.Web;

@@ -20,7 +21,7 @@ public class DiscordAuthServiceTests
            })
            .Build();

-        var service = new DiscordAuthService(new TestHttpClientFactory(), config);
+        var service = new DiscordAuthService(new TestHttpClientFactory(), config, NullLogger<DiscordAuthService>.Instance);
        var url = service.BuildAuthorizeUrl("state123");

        Assert.Contains("client_id=12345", url);
@@ -33,7 +34,7 @@ public class DiscordAuthServiceTests
    public void BuildAuthorizeUrl_WithMissingConfig_ThrowsInvalidOperationException()
    {
        var config = new ConfigurationBuilder().Build();
-        var service = new DiscordAuthService(new TestHttpClientFactory(), config);
+        var service = new DiscordAuthService(new TestHttpClientFactory(), config, NullLogger<DiscordAuthService>.Instance);

        Assert.Throws<InvalidOperationException>(() => service.BuildAuthorizeUrl("state"));
    }
@@ -74,7 +75,7 @@ public class DiscordAuthServiceTests
            .Build();

        var factory = new TestHttpClientFactory(handler);
-        var service = new DiscordAuthService(factory, config);
+        var service = new DiscordAuthService(factory, config, NullLogger<DiscordAuthService>.Instance);

        var result = await service.ExchangeCodeAsync("valid_code");

@@ -102,7 +103,7 @@ public class DiscordAuthServiceTests
            .Build();

        var factory = new TestHttpClientFactory(handler);
-        var service = new DiscordAuthService(factory, config);
+        var service = new DiscordAuthService(factory, config, NullLogger<DiscordAuthService>.Instance);

        var result = await service.ExchangeCodeAsync("invalid_code");