Add page for login failure when authorization is required for reading

When authorization is required to read the wiki, the error message from a failed GitHub login cannot be displayed. Instead it will redirect to GitHub for another OAuth authentication, which can lead to a redirect loop. To avoid this, the user is now redirected to a special landing page to display the login failure. Note: no changes are made for the case where authorization is not required to read the wiki.
jgm · Dec 28, 2015 · ca4558c · ca4558c
1 parent ff45b6d
commit ca4558c
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/src/Network/Gitit/Authentication.hs b/src/Network/Gitit/Authentication.hs
@@ -464,17 +464,33 @@ oauthGithubCallback ghConfig githubCallbackPars =
                      seeOther (encUrl destination) $ toResponse ()
           Left err -> do
               liftIO $ logM "gitit" WARNING $ "Login Failed: " ++ ghUserMessage err ++ maybe "" (". Github response" ++) (ghDetails err)
-              let url = destination ++ "?message=" ++ ghUserMessage err
+              cfg <- getConfig
+              let destination'
+                    | requireAuthentication cfg >= ForRead = base' ++ "/_loginFailure"
+                    | otherwise                            = destination
+              let url = destination' ++ "?message=" ++ ghUserMessage err
               seeOther (encUrl url) $ toResponse ()
 
 githubAuthHandlers :: GithubConfig
                    -> [Handler]
 githubAuthHandlers ghConfig =
   [ dir "_logout" $ withData logoutUser
   , dir "_login" $ loginGithubUser $ oAuth2 ghConfig
+  , dir "_loginFailure" $ githubLoginFailure
   , dir "_githubCallback" $ withData $ oauthGithubCallback ghConfig
   , dir "_user" currentUser ]
 
+githubLoginFailure :: Handler
+githubLoginFailure = withData $ \params ->
+  formattedPage (pageLayout (pMessages params)) noHtml >>= forbidden
+  where
+    pageLayout msgs =
+      defaultPageLayout{ pgShowPageTools = False,
+                         pgTabs = [],
+                         pgTitle = "Login failure",
+                         pgMessages = msgs
+                       }
+
 -- Login using RPX (see RPX development docs at https://rpxnow.com/docs)
 loginRPXUser :: RPars  -- ^ The parameters passed by the RPX callback call (after authentication has taken place
              -> Handler