add a block page to oidc on invallid credentials, fix inifinite login redirect

This commit is contained in:
yusing 2025-02-27 01:18:47 +08:00
parent 485aa0f52b
commit a4d99b54af
5 changed files with 52 additions and 8 deletions

View file

@ -0,0 +1,22 @@
package auth
import (
"html/template"
"net/http"
_ "embed"
)
//go:embed block_page.html
var blockPageHTML string
var blockPageTemplate = template.Must(template.New("block_page").Parse(blockPageHTML))
func WriteBlockPage(w http.ResponseWriter, status int, error string, logoutURL string) {
w.Header().Set("Content-Type", "text/html; charset=utf-8")
blockPageTemplate.Execute(w, map[string]string{
"StatusText": http.StatusText(status),
"Error": error,
"LogoutURL": logoutURL,
})
}

View file

@ -0,0 +1,14 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Access Denied</title>
</head>
<body>
<h1>{{.StatusText}}</h1>
<p>{{.Error}}</p>
<a href="{{.LogoutURL}}">Logout</a>
</body>
</html>

View file

@ -132,7 +132,7 @@ func (auth *OIDCProvider) CheckToken(r *http.Request) error {
allowedUser := slices.Contains(auth.allowedUsers, claims.Username)
allowedGroup := len(CE.Intersect(claims.Groups, auth.allowedGroups)) > 0
if !allowedUser && !allowedGroup {
return ErrUserNotAllowed.Subject(claims.Username)
return ErrUserNotAllowed
}
return nil
}

View file

@ -48,7 +48,6 @@ func ClientError(w http.ResponseWriter, err error, code ...int) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(err)
} else {
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
http.Error(w, err.Error(), code[0])
}
}
@ -65,7 +64,8 @@ func BadRequest(w http.ResponseWriter, err string, code ...int) {
if len(code) == 0 {
code = []int{http.StatusBadRequest}
}
http.Error(w, err, code[0])
w.WriteHeader(code[0])
w.Write([]byte(err))
}
// Unauthorized returns an Unauthorized response with the given error message.
@ -73,6 +73,11 @@ func Unauthorized(w http.ResponseWriter, err string) {
BadRequest(w, err, http.StatusUnauthorized)
}
// Forbidden returns a Forbidden response with the given error message.
func Forbidden(w http.ResponseWriter, err string) {
BadRequest(w, err, http.StatusForbidden)
}
// NotFound returns a Not Found response with the given error message.
func NotFound(w http.ResponseWriter, err string) {
BadRequest(w, err, http.StatusNotFound)

View file

@ -1,6 +1,7 @@
package middleware
import (
"errors"
"net/http"
"sync"
"sync/atomic"
@ -80,11 +81,13 @@ func (amw *oidcMiddleware) before(w http.ResponseWriter, r *http.Request) (proce
}
if err := amw.auth.CheckToken(r); err != nil {
amw.authMux.ServeHTTP(w, r)
return false
}
if r.URL.Path == auth.OIDCLogoutPath {
amw.auth.LogoutCallbackHandler(w, r)
if errors.Is(err, auth.ErrMissingToken) {
amw.authMux.ServeHTTP(w, r)
} else if r.URL.Path == auth.OIDCLogoutPath {
amw.auth.LogoutCallbackHandler(w, r)
} else {
auth.WriteBlockPage(w, http.StatusForbidden, err.Error(), auth.OIDCLogoutPath)
}
return false
}
return true