Revert "fix(oauth): Add state validation to prevent promo code conflicts (#95742)"

This reverts commit ea60b81.

Co-authored-by: dashed <[email protected]>

Author: getsentry-bot

src/sentry/identity/oauth2.py

@@ -242,89 +242,25 @@ def get_authorize_params(self, state, redirect_uri):
             "redirect_uri": redirect_uri,
         }
 
-    def _start_new_oauth_flow(
-        self, request: HttpRequest, pipeline: IdentityPipeline
-    ) -> HttpResponseRedirect:
-        """Start a new OAuth flow by generating state, building redirect URL, and binding state."""
-        state = secrets.token_hex()
-        params = self.get_authorize_params(
-            state=state, redirect_uri=absolute_uri(_redirect_url(pipeline))
-        )
-        redirect_uri = f"{self.get_authorize_url()}?{urlencode(params)}"
-
-        pipeline.bind_state("state", state)
-        if request.subdomain:
-            pipeline.bind_state("subdomain", request.subdomain)
-
-        return HttpResponseRedirect(redirect_uri)
-
     @method_decorator(csrf_exempt)
     def dispatch(self, request: HttpRequest, pipeline: IdentityPipeline) -> HttpResponseBase:
         with record_event(IntegrationPipelineViewType.OAUTH_LOGIN, pipeline.provider.key).capture():
-            # Detect parameter pollution attacks for critical OAuth parameters
-            code_values = request.GET.getlist("code")
-            error_values = request.GET.getlist("error")
-            state_values = request.GET.getlist("state")
-
-            # Check for parameter pollution on critical OAuth parameters
-            pollution_detected = (
-                len(code_values) > 1 or len(error_values) > 1 or len(state_values) > 1
-            )
+            for param in ("code", "error", "state"):
+                if param in request.GET:
+                    return pipeline.next_step()
 
-            if pollution_detected:
-                logger.warning(
-                    "OAuth parameter pollution attack detected",
-                    extra={
-                        "provider": pipeline.provider.key,
-                        "code_count": len(code_values),
-                        "error_count": len(error_values),
-                        "state_count": len(state_values),
-                        "remote_addr": request.META.get("REMOTE_ADDR"),
-                        "user_agent": request.META.get("HTTP_USER_AGENT"),
-                        "referer": request.META.get("HTTP_REFERER"),
-                    },
-                )
-                # Start new OAuth flow to prevent potential parameter pollution attack
-                return self._start_new_oauth_flow(request, pipeline)
-
-            # Safe to get single values now that we've validated no pollution
-            oauth_code = code_values[0] if code_values else None
-            oauth_error = error_values[0] if error_values else None
-            oauth_state = state_values[0] if state_values else None
-            stored_state = pipeline.fetch_state("state")
-
-            # Only treat as OAuth callback if:
-            # 1. We have a code OR error parameter (but not both) AND
-            # 2. We have exactly ONE state parameter AND
-            # 3. The state matches what we stored
-            is_oauth_callback = (
-                (oauth_code or oauth_error)
-                and not (oauth_code and oauth_error)  # RFC 6749: MUST NOT have both code and error
-                and oauth_state
-                and oauth_state == stored_state
-            )
+            state = secrets.token_hex()
 
-            # Log OAuth callback detection for monitoring
-            logger.debug(
-                "OAuth callback detection",
-                extra={
-                    "provider": pipeline.provider.key,
-                    "has_code": bool(oauth_code),
-                    "has_error": bool(oauth_error),
-                    "has_state": bool(oauth_state),
-                    "code_count": len(code_values),
-                    "error_count": len(error_values),
-                    "state_count": len(state_values),
-                    "state_matches": oauth_state == stored_state if oauth_state else False,
-                    "is_callback": is_oauth_callback,
-                },
+            params = self.get_authorize_params(
+                state=state, redirect_uri=absolute_uri(_redirect_url(pipeline))
             )
+            redirect_uri = f"{self.get_authorize_url()}?{urlencode(params)}"
 
-            if is_oauth_callback:
-                return pipeline.next_step()
+            pipeline.bind_state("state", state)
+            if request.subdomain:
+                pipeline.bind_state("subdomain", request.subdomain)
 
-            # Otherwise, start new OAuth flow
-            return self._start_new_oauth_flow(request, pipeline)
+            return HttpResponseRedirect(redirect_uri)
 
 
 class OAuth2CallbackView: