fix: redirect unauthorized git users to login screen (#10995)

* fix: redirect to login screen if unauthorized git user * consolidated language * fix redirect
2023-12-07 09:19:31 -05:00 · 2023-12-07 09:19:31 -05:00 · 091fdd6761
parent 5d2e87f1a7
commit 091fdd6761
5 changed files with 26 additions and 15 deletions
--- a/coderd/httpmw/apikey.go
+++ b/coderd/httpmw/apikey.go
@ -538,3 +538,18 @@ func RedirectToLogin(rw http.ResponseWriter, r *http.Request, dashboardURL *url.
 	// (like temporary redirect does).
 	http.Redirect(rw, r, u.String(), http.StatusSeeOther)
 }
+
+// CustomRedirectToLogin redirects the user to the login page with the `message` and
+// `redirect` query parameters set, with a provided code
+func CustomRedirectToLogin(rw http.ResponseWriter, r *http.Request, redirect string, message string, code int) {
+	q := url.Values{}
+	q.Add("message", message)
+	q.Add("redirect", redirect)
+
+	u := &url.URL{
+		Path:     "/login",
+		RawQuery: q.Encode(),
+	}
+
+	http.Redirect(rw, r, u.String(), code)
+}
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@ -510,6 +510,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {

 	var selectedMemberships []*github.Membership
 	var organizationNames []string
+	redirect := state.Redirect
 	if !api.GithubOAuth2Config.AllowEveryone {
 		memberships, err := api.GithubOAuth2Config.ListOrganizationMemberships(ctx, oauthClient)
 		if err != nil {
@ -535,9 +536,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 			}
 		}
 		if len(selectedMemberships) == 0 {
-			httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
-				Message: "You aren't a member of the authorized Github organizations!",
-			})
+			httpmw.CustomRedirectToLogin(rw, r, redirect, "You aren't a member of the authorized Github organizations!", http.StatusUnauthorized)
 			return
 		}
 	}
@ -574,9 +573,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 			}
 		}
 		if allowedTeam == nil {
-			httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
-				Message: fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames),
-			})
+			httpmw.CustomRedirectToLogin(rw, r, redirect, fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames), http.StatusUnauthorized)
 			return
 		}
 	}
@ -658,7 +655,6 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 		http.SetCookie(rw, cookie)
 	}

-	redirect := state.Redirect
 	if redirect == "" {
 		redirect = "/"
 	}
--- a/site/src/pages/LoginPage/LoginPageView.tsx
+++ b/site/src/pages/LoginPage/LoginPageView.tsx
@ -24,7 +24,7 @@ export const LoginPageView: FC<LoginPageViewProps> = ({
  const redirectTo = retrieveRedirect(location.search);
  // This allows messages to be displayed at the top of the sign in form.
  // Helpful for any redirects that want to inform the user of something.
-  const info = new URLSearchParams(location.search).get("info") || undefined;
+  const message = new URLSearchParams(location.search).get("message");
  const applicationName = getApplicationName();
  const logoURL = getLogoURL();
  const applicationLogo = logoURL ? (
@ -52,7 +52,7 @@ export const LoginPageView: FC<LoginPageViewProps> = ({
          redirectTo={redirectTo}
          isSigningIn={isSigningIn}
          error={error}
-          info={info}
+          message={message}
          onSubmit={onSignIn}
        />
        <footer css={styles.footer}>
--- a/site/src/pages/LoginPage/SignInForm.tsx
+++ b/site/src/pages/LoginPage/SignInForm.tsx
@ -1,5 +1,5 @@
 import { type Interpolation, type Theme } from "@emotion/react";
-import { type FC } from "react";
+import { ReactNode, type FC } from "react";
 import type { AuthMethods } from "api/typesGenerated";
 import { PasswordSignInForm } from "./PasswordSignInForm";
 import { OAuthSignInForm } from "./OAuthSignInForm";
@ -63,7 +63,7 @@ export interface SignInFormProps {
  isSigningIn: boolean;
  redirectTo: string;
  error?: unknown;
-  info?: string;
+  message?: ReactNode;
  authMethods?: AuthMethods;
  onSubmit: (credentials: { email: string; password: string }) => void;
 }
@ -73,7 +73,7 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
  redirectTo,
  isSigningIn,
  error,
-  info,
+  message,
  onSubmit,
 }) => {
  const oAuthEnabled = Boolean(
@ -91,9 +91,9 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
        </div>
      )}

-      {Boolean(info) && Boolean(error) && (
+      {message && (
        <div css={styles.alert}>
-          <Alert severity="info">{info}</Alert>
+          <Alert severity="info">{message}</Alert>
        </div>
      )}

--- a/site/src/pages/UserSettingsPage/SecurityPage/SingleSignOnSection.tsx
+++ b/site/src/pages/UserSettingsPage/SecurityPage/SingleSignOnSection.tsx
@ -62,7 +62,7 @@ export const useSingleSignOnSection = () => {
        // The redirect on success should be back to the login page with a nice message.
        // The user should be logged out if this worked.
        encodeURIComponent(
-          `/login?info=Login type has been changed to ${loginTypeMsg}. Log in again using the new method.`,
+          `/login?message=Login type has been changed to ${loginTypeMsg}. Log in again using the new method.`,
        ),
      );
    },