fix(auth): Make pipeline backed by redis store more bulletproof (#39747)

src/sentry/pipeline/base.py

@@ -128,7 +128,11 @@ class Pipeline(abc.ABC):
         return views
 
     def is_valid(self) -> bool:
-        _is_valid: bool = self.state.is_valid() and self.state.signature == self.signature
+        _is_valid: bool = (
+            self.state.is_valid()
+            and self.state.signature == self.signature
+            and self.state.step_index is not None
+        )
         return _is_valid
 
     def initialize(self) -> None:

tests/sentry/web/frontend/test_auth_saml2.py

@@ -141,6 +141,29 @@ class AuthSAML2Test(AuthProviderTestCase):
         assert auth.status_code == 200
         assert auth.context["existing_user"] == self.user
 
+    def test_auth_sp_initiated_invalid_step_index_from_session(self):
+        from sentry.auth.helper import AuthHelper
+
+        # Start auth process from SP side
+        self.client.post(self.login_path, {"init": True})
+
+        original_get_for_request = AuthHelper.get_for_request
+
+        def side_effect(request):
+            helper = original_get_for_request(request)
+            # This could occur if redis state has expired
+            helper.state.step_index = None
+            return helper
+
+        with mock.patch(
+            "sentry.auth.helper.AuthHelper.get_for_request",
+            side_effect=side_effect,
+            autospec=True,
+        ):
+            response = self.accept_auth()
+            assert response.status_code == 302
+            assert response["Location"] == "/auth/login/saml2-org/"
+
     @mock.patch("sentry.auth.helper.logger")
     def test_auth_setup(self, auth_log):
         self.auth_provider.delete()