1 files changed, 24 insertions, 10 deletions

diff --git a/remoting/protocol/client_message_dispatcher.cc b/remoting/protocol/client_message_dispatcher.cc
index e7b6dd6..657e30d 100644
--- a/remoting/protocol/client_message_dispatcher.cc
+++ b/remoting/protocol/client_message_dispatcher.cc
@@ -39,18 +39,32 @@ void ClientMessageDispatcher::Initialize(
 
 void ClientMessageDispatcher::OnControlMessageReceived(
     ControlMessage* message, Task* done_task) {
-  // TODO(sergeyu): Add message validation.
-  if (message->has_notify_resolution()) {
-    client_stub_->NotifyResolution(
-        &message->notify_resolution(), done_task);
-  } else if (message->has_begin_session_response()) {
-    client_stub_->BeginSessionResponse(
-        &message->begin_session_response().login_status(), done_task);
+  if (!client_stub_->authenticated()) {
+    // When the client has not authenticated with the host, we restrict the
+    // control messages that we support.
+    if (message->has_begin_session_response()) {
+      client_stub_->BeginSessionResponse(
+          &message->begin_session_response().login_status(), done_task);
+      return;
+    } else {
+      LOG(WARNING) << "Invalid control message received "
+                   << "(client not authenticated).";
+    }
   } else {
-    LOG(WARNING) << "Invalid control message received.";
-    done_task->Run();
-    delete done_task;
+    // TODO(sergeyu): Add message validation.
+    if (message->has_notify_resolution()) {
+      client_stub_->NotifyResolution(
+          &message->notify_resolution(), done_task);
+      return;
+    } else if (message->has_begin_session_response()) {
+      LOG(WARNING) << "BeginSessionResponse sent after client already "
+                   << "authorized.";
+    } else {
+      LOG(WARNING) << "Invalid control message received.";
+    }
   }
+  done_task->Run();
+  delete done_task;
 }
 
 }  // namespace protocol