Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth: Redirect github oauth login attempt back if user cancels #23083

Merged
merged 1 commit into from
Jul 21, 2021
Merged

auth: Redirect github oauth login attempt back if user cancels #23083

merged 1 commit into from
Jul 21, 2021

Conversation

ryanslade
Copy link
Contributor

@ryanslade ryanslade commented Jul 21, 2021
edited

Before, we would show a raw plaintext error. Instead, we detect the
specifc access_denied error returned from GitHub and redirect the user
back.

Closes: https://sourcegraph.atlassian.net/browse/COREAPP-25

@ryanslade
auth: Redirect github oauth login attempt back if user cancels
7898a49 
Before, we would show a raw plaintext error. Instead, we detect the
specifc `access_denied` error returned from GitHub and redirect the user
back.
@ryanslade ryanslade marked this pull request as ready for review July 21, 2021 15:12
@ryanslade ryanslade changed the title auth: Redirect github oauth login attempt back if user cancels auth: Redirect github oauth login attempt back if user cancels COREAPP-25 Jul 21, 2021
@ryanslade ryanslade changed the title auth: Redirect github oauth login attempt back if user cancels COREAPP-25 auth: Redirect github oauth login attempt back if user cancels Jul 21, 2021
@sourcegraph-bot
Copy link
Contributor

Notifying subscribers in CODENOTIFY files for diff 28e524c...7898a49.

Notify File(s)
@unknwon enterprise/cmd/frontend/internal/auth/githuboauth/provider.go
enterprise/cmd/frontend/internal/auth/oauth/session.go

unknwon
unknwon reviewed Jul 21, 2021
View reviewed changes
enterprise/cmd/frontend/internal/auth/githuboauth/provider.go
Comment on lines +88 to +100
ctx := r.Context()
encodedState, err := goauth2.StateFromContext(ctx)
if err != nil {
log15.Error("OAuth failed: could not get state from context.", "error", err)
http.Error(w, "Authentication failed. Try signing in again (and clearing cookies for the current site). The error was: could not get OAuth state from context.", http.StatusInternalServerError)
return
}
state, err := oauth.DecodeState(encodedState)
if err != nil {
log15.Error("OAuth failed: could not decode state.", "error", err)
http.Error(w, "Authentication failed. Try signing in again (and clearing cookies for the current site). The error was: could not get decode OAuth state.", http.StatusInternalServerError)
return
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure all of these are actually needed because we know we got "access_denied" exactly here.

My suggestion would be put a warning log saying OAuth flow is failing because of "access_denied" and do the redirect.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to get the state so that we can extract the URL we want to redirect back to

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or do you think it's safe to always assume we're redirecting back to the sign in page?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I see. Assuming you've verified that we always get "state" back even when the user cencals the authorization on GitHub side.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, the state is populated.

unknwon
unknwon approved these changes Jul 21, 2021
View reviewed changes
enterprise/cmd/frontend/internal/auth/githuboauth/provider.go
Comment on lines +88 to +100
ctx := r.Context()
encodedState, err := goauth2.StateFromContext(ctx)
if err != nil {
log15.Error("OAuth failed: could not get state from context.", "error", err)
http.Error(w, "Authentication failed. Try signing in again (and clearing cookies for the current site). The error was: could not get OAuth state from context.", http.StatusInternalServerError)
return
}
state, err := oauth.DecodeState(encodedState)
if err != nil {
log15.Error("OAuth failed: could not decode state.", "error", err)
http.Error(w, "Authentication failed. Try signing in again (and clearing cookies for the current site). The error was: could not get decode OAuth state.", http.StatusInternalServerError)
return
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I see. Assuming you've verified that we always get "state" back even when the user cencals the authorization on GitHub side.

@ryanslade ryanslade merged commit 1a3e7ad into main Jul 21, 2021
@ryanslade ryanslade deleted the core/github-oauth-cancel branch July 21, 2021 16:18
@flying-robot flying-robot mentioned this pull request Jul 26, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@unknwon unknwon unknwon approved these changes

@flying-robot flying-robot Awaiting requested review from flying-robot

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ryanslade @sourcegraph-bot @unknwon