fix: redirect from oauth2 authorization page (#12241)

At the moment it just says "you are not authorized", but we want to automatically redirect to the login page.
2025-07-13 21:36:50 +00:00 · 2024-02-21 14:30:33 -08:00
parent c3a7b13690
commit 7eb2beccea
3 changed files with 30 additions and 15 deletions
--- a/enterprise/coderd/coderd.go
+++ b/enterprise/coderd/coderd.go
@ -153,6 +153,15 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 		Optional:                    false,
 		SessionTokenFunc:            nil, // Default behavior
 	})
+	// Same as above but it redirects to the login page.
+	apiKeyMiddlewareRedirect := httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{
+		DB:                          options.Database,
+		OAuth2Configs:               oauthConfigs,
+		RedirectToLogin:             true,
+		DisableSessionExpiryRefresh: options.DeploymentValues.DisableSessionExpiryRefresh.Value(),
+		Optional:                    false,
+		SessionTokenFunc:            nil, // Default behavior
+	})
 	apiKeyMiddlewareOptional := httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{
 		DB:                          options.Database,
 		OAuth2Configs:               oauthConfigs,
@ -168,7 +177,7 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 	}

 	api.AGPL.RootHandler.Group(func(r chi.Router) {
-		// Oauth2 linking routes do not make sense under the /api/v2 path.
+		// OAuth2 linking routes do not make sense under the /api/v2 path.
 		r.Route("/oauth2", func(r chi.Router) {
 			r.Use(
 				api.oAuth2ProviderMiddleware,
@ -176,17 +185,22 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 				// authenticated user.
 				httpmw.AsAuthzSystem(httpmw.ExtractOAuth2ProviderApp(options.Database)),
 			)
-			r.Group(func(r chi.Router) {
-				r.Use(apiKeyMiddleware)
-				r.Get("/authorize", api.postOAuth2ProviderAppAuthorize())
-				// DELETE on /tokens is not part of the OAuth2 spec.  It is our own
-				// route used to revoke permissions from an application.  It is here for
-				// parity with POST on /tokens.
-				r.Delete("/tokens", api.deleteOAuth2ProviderAppTokens())
+			r.Route("/authorize", func(r chi.Router) {
+				r.Use(apiKeyMiddlewareRedirect)
+				r.Get("/", api.getOAuth2ProviderAppAuthorize())
+			})
+			r.Route("/tokens", func(r chi.Router) {
+				r.Group(func(r chi.Router) {
+					r.Use(apiKeyMiddleware)
+					// DELETE on /tokens is not part of the OAuth2 spec.  It is our own
+					// route used to revoke permissions from an application.  It is here for
+					// parity with POST on /tokens.
+					r.Delete("/", api.deleteOAuth2ProviderAppTokens())
+				})
+				// The POST /tokens endpoint will be called from an unauthorized client so we
+				// cannot require an API key.
+				r.Post("/", api.postOAuth2ProviderAppToken())
 			})
-			// The /tokens endpoint will be called from an unauthorized client so we
-			// cannot require an API key.
-			r.Post("/tokens", api.postOAuth2ProviderAppToken())
 		})
 	})