Gracefully handle Google OAuth failures from Maker App

dashboard/app/controllers/maker_controller.rb

@@ -121,18 +121,26 @@ def login_code
   # GET /maker/display_code
   # renders a page for users to copy and paste a login key
   def display_code
-    # Generate encrypted code to display to user
-    user_auth = current_user.authentication_options.find_by_credential_type(AuthenticationOption::GOOGLE)
-    @secret_code = Encryption.encrypt_string_utf8(
-      Time.now.strftime('%Y%m%dT%H%M%S%z') + user_auth['authentication_id'] + user_auth['credential_type']
-    )
+    if current_user
+      # Generate encrypted code to display to user
+      user_auth = current_user.authentication_options.find_by_credential_type(AuthenticationOption::GOOGLE)
+      if user_auth
+        @secret_code = Encryption.encrypt_string_utf8(
+          Time.now.strftime('%Y%m%dT%H%M%S%z') + user_auth['authentication_id'] + user_auth['credential_type']
+        )
+      end
+    end
   end
 
   # GET /maker/confirm_login
   # Renders a page to confirm uses want to login via Google OAuth
   # This route is need to convert the GET request from the Maker App into
   # a POST that can be used to login via Google OAuth
   def confirm_login
+    session[:user_return_to] ||= params[:user_return_to]
+    if current_user
+      redirect_to session[:user_return_to]
+    end
   end
 
   # POST /maker/complete

dashboard/app/controllers/omniauth_callbacks_controller.rb

@@ -67,6 +67,8 @@ def google_oauth2
 
     if user
       sign_in_google_oauth2 user
+    elsif session[:user_return_to] == maker_display_google_oauth_code_path
+      redirect_to session[:user_return_to]
     else
       sign_up_google_oauth2
     end

dashboard/app/views/maker/display_code.html.haml

@@ -1,14 +1,16 @@
 %h1= I18n.t('maker.google_oauth.login_with_google')
+- if @secret_code
+  %p= I18n.t('maker.google_oauth.copy_code')
 
-%p= I18n.t('maker.google_oauth.copy_code')
+  = text_field_tag :maker_code, @secret_code, readonly: true
+  = button_tag I18n.t(:copy), id: "btn-copy"
 
-= text_field_tag :maker_code, @secret_code, readonly: true
-= button_tag I18n.t(:copy), id: "btn-copy"
-
-:javascript
-  $(document).ready(function() {
-    $('#btn-copy').click(function() {
-      $('#maker_code').select();
-      document.execCommand("copy");
+  :javascript
+    $(document).ready(function() {
+      $('#btn-copy').click(function() {
+        $('#maker_code').select();
+        document.execCommand("copy");
+      });
     });
-  });
+- else
+  %p= I18n.t('maker.google_oauth.error_no_linked_google')

dashboard/config/locales/en.yml

@@ -1155,6 +1155,7 @@ en:
       copy_code: 'Please copy and paste this code into the Maker App to login to Code.org.'
       error_token_expired: 'Token has expired. Please log in again for a new token.'
       error_wrong_provider: 'Wrong provider. Please make sure you are logging in with Google.'
+      error_no_linked_google: 'Please go back to the Maker App and use the "Sign in" button in the top right to log in or click the back button to log in with a different Google account'
       error_invalid_user: 'Invalid user id. Please try logging in again.'
       error_no_code: 'Please enter your login code.'
       confirm_login: 'Select "Confirm" to log in with your Google account.'

dashboard/test/controllers/maker_controller_test.rb

@@ -473,6 +473,60 @@ class MakerControllerTest < ActionController::TestCase
     assert_equal 1, CircuitPlaygroundDiscountApplication.where(user_id: @teacher.id).length
   end
 
+  test "confirm_login redirects to maker_display_google_oauth_code_path when a google user is already signed in" do
+    @student = create :student, :google_sso_provider
+    sign_in @student
+
+    get :confirm_login, params: {user_return_to: '/maker/display_google_oauth_code'}
+
+    assert_response :redirect
+    assert @response.headers['Location'].ends_with? 'maker/display_google_oauth_code'
+
+    get :display_code
+    assert_response :success
+    assert_select '#btn-copy'
+  end
+
+  test "confirm_login redirects to maker_display_google_oauth_code_path when a non google user is already signed in" do
+    sign_in @student
+
+    get :confirm_login, params: {user_return_to: '/maker/display_google_oauth_code'}
+
+    assert_response :redirect
+    assert @response.headers['Location'].ends_with? 'maker/display_google_oauth_code'
+
+    get :display_code
+    assert_response :success
+    assert_select '#btn-copy', false
+  end
+
+  test "confirm_login does not redirect when no user is signed in" do
+    get :confirm_login, params: {user_return_to: '/maker/display_google_oauth_code'}
+    assert_response :success
+    assert_template :confirm_login
+  end
+
+  test "display_code shows a code when a google user is signed in" do
+    @student = create :student, :google_sso_provider
+    sign_in @student
+    get :display_code
+    assert_response :success
+    assert_select '#btn-copy'
+  end
+
+  test "display_code does not show a code when a non google user is signed in" do
+    sign_in @student
+    get :display_code
+    assert_response :success
+    assert_select '#btn-copy', false
+  end
+
+  test "display_code does not show a code when no user is signed in" do
+    get :display_code
+    assert_response :success
+    assert_select '#btn-copy', false
+  end
+
   private
 
   def ensure_script(script_name, version_year, is_stable=true)

dashboard/test/controllers/omniauth_callbacks_controller_test.rb

@@ -786,6 +786,48 @@ class OmniauthCallbacksControllerTest < ActionController::TestCase
     assert_equal auth[:credentials][:refresh_token], partial_user.oauth_refresh_token
   end
 
+  test 'google_oauth2: redirects to maker/display_google_oauth_code when google login is successful if the session[:user_return_to] is set to /maker/display_google_oauth_code' do
+    # Given I have a Google-Code.org account
+    user = create :student, :google_sso_provider
+
+    # When I hit the google oauth callback
+    auth = generate_auth_user_hash \
+      provider: AuthenticationOption::GOOGLE,
+      uid: user.primary_contact_info.authentication_id
+    @request.env['omniauth.auth'] = auth
+    @request.env['omniauth.params'] = {}
+    session[:user_return_to] = "/maker/display_google_oauth_code"
+    assert_does_not_create(User) do
+      get :google_oauth2
+    end
+
+    # Then I am signed in
+    user.reload
+    assert_equal user.id, signed_in_user_id
+    # Then I go to the display google oauth page to get my code
+    assert_redirected_to 'http://test.host/maker/display_google_oauth_code'
+  end
+
+  test 'google_oauth2: redirects to maker/display_google_oauth_code when google login is not successful if the session[:user_return_to] is set to /maker/display_google_oauth_code' do
+    # Given I do not have a Code.org account
+    uid = "nonexistent-google-oauth2"
+
+    # When I hit the google oauth callback
+    auth = generate_auth_user_hash \
+      provider: AuthenticationOption::GOOGLE,
+      uid: uid,
+      user_type: '' # Google doesn't provider user_type
+    @request.env['omniauth.auth'] = auth
+    @request.env['omniauth.params'] = {}
+    session[:user_return_to] = "/maker/display_google_oauth_code"
+    assert_does_not_create(User) do
+      get :google_oauth2
+    end
+
+    # Then I go to the display google oauth page to see an error message
+    assert_redirected_to 'http://test.host/maker/display_google_oauth_code'
+  end
+
   test 'login: google_oauth2 silently takes over unmigrated student with matching email' do
     email = 'test@foo.xyz'
     uid = '654321'