[local-app] fix failed/cancelled auth

gitpod-io · Sep 10, 2021 · 8bfcfcb · 8bfcfcb
1 parent 4619722
commit 8bfcfcb
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 5 deletions.
diff --git a/components/local-app/main.go b/components/local-app/main.go
@@ -93,12 +93,21 @@ func main() {
 				},
 			},
 			&cli.BoolFlag{
-				Name: "verbose",
+				Name:  "verbose",
+				Usage: "Enable verbose logging",
 				EnvVars: []string{
 					"GITPOD_LCA_VERBOSE",
 				},
 				Value: false,
 			},
+			&cli.DurationFlag{
+				Name:  "auth-timeout",
+				Usage: "Auth timeout in seconds",
+				EnvVars: []string{
+					"GITPOD_LCA_AUTH_TIMEOUT",
+				},
+				Value: 30,
+			},
 		},
 		Commands: []*cli.Command{
 			{
@@ -107,7 +116,8 @@ func main() {
 					if c.Bool("mock-keyring") {
 						keyring.MockInit()
 					}
-					return run(c.String("gitpod-host"), c.String("ssh_config"), c.Int("api-port"), c.Bool("allow-cors-from-port"), c.Bool("auto-tunnel"), c.String("auth-redirect-url"), c.Bool("verbose"))
+					return run(c.String("gitpod-host"), c.String("ssh_config"), c.Int("api-port"), c.Bool("allow-cors-from-port"),
+						c.Bool("auto-tunnel"), c.String("auth-redirect-url"), c.Bool("verbose"), c.Duration("auth-timeout"))
 				},
 				Flags: []cli.Flag{
 					&cli.PathFlag{
@@ -131,7 +141,7 @@ func DefaultCommand(name string) cli.ActionFunc {
 	}
 }
 
-func run(origin, sshConfig string, apiPort int, allowCORSFromPort bool, autoTunnel bool, authRedirectUrl string, verbose bool) error {
+func run(origin, sshConfig string, apiPort int, allowCORSFromPort bool, autoTunnel bool, authRedirectUrl string, verbose bool, authTimeout time.Duration) error {
 	if verbose {
 		logrus.SetLevel(logrus.DebugLevel)
 	}
@@ -155,7 +165,7 @@ func run(origin, sshConfig string, apiPort int, allowCORSFromPort bool, autoTunn
 
 	var b *bastion.Bastion
 
-	client, err := connectToServer(auth.LoginOpts{GitpodURL: origin, RedirectURL: authRedirectUrl}, func() {
+	client, err := connectToServer(auth.LoginOpts{GitpodURL: origin, RedirectURL: authRedirectUrl, AuthTimeout: authTimeout}, func() {
 		if b != nil {
 			b.FullUpdate()
 		}

diff --git a/components/local-app/pkg/auth/auth.go b/components/local-app/pkg/auth/auth.go
@@ -15,6 +15,7 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"time"
 
 	jwt "github.com/dgrijalva/jwt-go"
 	gitpod "github.com/gitpod-io/gitpod/gitpod-protocol"
@@ -95,6 +96,7 @@ func DeleteToken(host string) error {
 type LoginOpts struct {
 	GitpodURL   string
 	RedirectURL string
+	AuthTimeout time.Duration
 }
 
 const html = `
@@ -201,6 +203,7 @@ func Login(ctx context.Context, opts LoginOpts) (token string, err error) {
 		return "", xerrors.Errorf("cannot open browser to URL %s: %s\n", authorizationURL, err)
 	}
 
+	authTimeout := time.NewTimer(opts.AuthTimeout * time.Second)
 	var query url.Values
 	var code, approved string
 	select {
@@ -211,6 +214,8 @@ func Login(ctx context.Context, opts LoginOpts) (token string, err error) {
 	case query = <-queryChan:
 		code = query.Get("code")
 		approved = query.Get("approved")
+	case <-authTimeout.C:
+		return "", xerrors.Errorf("auth timeout after %d seconds", uint32(opts.AuthTimeout))
 	}
 
 	if approved == "no" {

diff --git a/components/server/src/oauth-server/oauth-controller.ts b/components/server/src/oauth-server/oauth-controller.ts
@@ -51,7 +51,7 @@ export class OAuthController {
 
             // Let the local app know they rejected the approval
             const rt = req.query.redirect_uri;
-            if (!rt || !rt.startsWith("http://localhost:")) {
+            if (!rt || !rt.startsWith("http://127.0.0.1:")) {
                 log.error(`/oauth/authorize: invalid returnTo URL: "${rt}"`)
                 res.sendStatus(400);
                 return false;