mirror of
https://github.com/yusing/godoxy.git
synced 2025-07-01 13:04:25 +02:00
add a block page to oidc on invallid credentials, fix inifinite login redirect
This commit is contained in:
parent
485aa0f52b
commit
a4d99b54af
5 changed files with 52 additions and 8 deletions
22
internal/api/v1/auth/block_page.go
Normal file
22
internal/api/v1/auth/block_page.go
Normal file
|
@ -0,0 +1,22 @@
|
|||
package auth
|
||||
|
||||
import (
|
||||
"html/template"
|
||||
"net/http"
|
||||
|
||||
_ "embed"
|
||||
)
|
||||
|
||||
//go:embed block_page.html
|
||||
var blockPageHTML string
|
||||
|
||||
var blockPageTemplate = template.Must(template.New("block_page").Parse(blockPageHTML))
|
||||
|
||||
func WriteBlockPage(w http.ResponseWriter, status int, error string, logoutURL string) {
|
||||
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||||
blockPageTemplate.Execute(w, map[string]string{
|
||||
"StatusText": http.StatusText(status),
|
||||
"Error": error,
|
||||
"LogoutURL": logoutURL,
|
||||
})
|
||||
}
|
14
internal/api/v1/auth/block_page.html
Normal file
14
internal/api/v1/auth/block_page.html
Normal file
|
@ -0,0 +1,14 @@
|
|||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||
|
||||
<title>Access Denied</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1>{{.StatusText}}</h1>
|
||||
<p>{{.Error}}</p>
|
||||
<a href="{{.LogoutURL}}">Logout</a>
|
||||
</body>
|
||||
</html>
|
|
@ -132,7 +132,7 @@ func (auth *OIDCProvider) CheckToken(r *http.Request) error {
|
|||
allowedUser := slices.Contains(auth.allowedUsers, claims.Username)
|
||||
allowedGroup := len(CE.Intersect(claims.Groups, auth.allowedGroups)) > 0
|
||||
if !allowedUser && !allowedGroup {
|
||||
return ErrUserNotAllowed.Subject(claims.Username)
|
||||
return ErrUserNotAllowed
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -48,7 +48,6 @@ func ClientError(w http.ResponseWriter, err error, code ...int) {
|
|||
w.Header().Set("Content-Type", "application/json")
|
||||
json.NewEncoder(w).Encode(err)
|
||||
} else {
|
||||
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
||||
http.Error(w, err.Error(), code[0])
|
||||
}
|
||||
}
|
||||
|
@ -65,7 +64,8 @@ func BadRequest(w http.ResponseWriter, err string, code ...int) {
|
|||
if len(code) == 0 {
|
||||
code = []int{http.StatusBadRequest}
|
||||
}
|
||||
http.Error(w, err, code[0])
|
||||
w.WriteHeader(code[0])
|
||||
w.Write([]byte(err))
|
||||
}
|
||||
|
||||
// Unauthorized returns an Unauthorized response with the given error message.
|
||||
|
@ -73,6 +73,11 @@ func Unauthorized(w http.ResponseWriter, err string) {
|
|||
BadRequest(w, err, http.StatusUnauthorized)
|
||||
}
|
||||
|
||||
// Forbidden returns a Forbidden response with the given error message.
|
||||
func Forbidden(w http.ResponseWriter, err string) {
|
||||
BadRequest(w, err, http.StatusForbidden)
|
||||
}
|
||||
|
||||
// NotFound returns a Not Found response with the given error message.
|
||||
func NotFound(w http.ResponseWriter, err string) {
|
||||
BadRequest(w, err, http.StatusNotFound)
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package middleware
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"net/http"
|
||||
"sync"
|
||||
"sync/atomic"
|
||||
|
@ -80,11 +81,13 @@ func (amw *oidcMiddleware) before(w http.ResponseWriter, r *http.Request) (proce
|
|||
}
|
||||
|
||||
if err := amw.auth.CheckToken(r); err != nil {
|
||||
amw.authMux.ServeHTTP(w, r)
|
||||
return false
|
||||
}
|
||||
if r.URL.Path == auth.OIDCLogoutPath {
|
||||
amw.auth.LogoutCallbackHandler(w, r)
|
||||
if errors.Is(err, auth.ErrMissingToken) {
|
||||
amw.authMux.ServeHTTP(w, r)
|
||||
} else if r.URL.Path == auth.OIDCLogoutPath {
|
||||
amw.auth.LogoutCallbackHandler(w, r)
|
||||
} else {
|
||||
auth.WriteBlockPage(w, http.StatusForbidden, err.Error(), auth.OIDCLogoutPath)
|
||||
}
|
||||
return false
|
||||
}
|
||||
return true
|
||||
|
|
Loading…
Add table
Reference in a new issue