synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-06 15:41:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(coderd/httpmw): handle oauth config removed for existing auth (#8420)

Browse Source 
This commit fixes an edge case tied to unexpired oauth logins where the
oauth provider is removed, the server restarted, and the users auth
expiring after the fact.

Refs #8351, #8352, #8390
This commit is contained in:
Mathias Fredriksson
2023-07-11 20:29:29 +03:00
committed by GitHub
parent e508d9aa6e
commit 398e8fdf89
1 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
coderd/httpmw/apikey.go
View File

@ -77,6 +77,13 @@ type OAuth2Configs struct {
OIDC OAuth2Config
}
func (c *OAuth2Configs) IsZero() bool {
if c == nil {
return true
}
return c.Github == nil && c.OIDC == nil
}
const (
SignedOutErrorMessage = "You are signed out or your session has expired. Please sign in again to continue."
internalErrorMessage = "An internal error occurred. Please try again or contact the system administrator."
@ -237,13 +244,14 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
}
// Check if the OAuth token is expired
if link.OAuthExpiry.Before(now) && !link.OAuthExpiry.IsZero() && link.OAuthRefreshToken != "" {
if cfg.OAuth2Configs == nil {
if cfg.OAuth2Configs.IsZero() {
return write(http.StatusInternalServerError, codersdk.Response{
Message: internalErrorMessage,
Detail: fmt.Sprintf("Unable to refresh OAuth token for login type %q. "+
"No OAuth2Configs provided. Contact an administrator to configure this login type.", key.LoginType),
})
}
var oauthConfig OAuth2Config
switch key.LoginType {
case database.LoginTypeGithub:
@ -256,6 +264,19 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
Detail: fmt.Sprintf("Unexpected authentication type %q.", key.LoginType),
})
}
// It's possible for cfg.OAuth2Configs to be non-nil, but still
// missing this type. For example, if a user logged in with GitHub,
// but the administrator later removed GitHub and replaced it with
// OIDC.
if oauthConfig == nil {
return write(http.StatusInternalServerError, codersdk.Response{
Message: internalErrorMessage,
Detail: fmt.Sprintf("Unable to refresh OAuth token for login type %q. "+
"OAuth2Config not provided. Contact an administrator to configure this login type.", key.LoginType),
})
}
// If it is, let's refresh it from the provided config
token, err := oauthConfig.TokenSource(r.Context(), &oauth2.Token{
AccessToken: link.OAuthAccessToken,