public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Return 401 Unauthorized if Authorize fails

This commit is contained in:
Nick Meves 2020-10-28 18:40:58 -07:00
parent f21b3b8b20
commit b9661cb6fe
No known key found for this signature in database
GPG Key ID: 93BA8A3CEDCDD1CF
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
oauthproxy.go
View File

@ -42,6 +42,9 @@ var (
// ErrNeedsLogin means the user should be redirected to the login page // ErrNeedsLogin means the user should be redirected to the login page
ErrNeedsLogin = errors.New("redirect to login page") ErrNeedsLogin = errors.New("redirect to login page")
// ErrAccessDenied means the user should receive a 401 Unauthorized response
ErrAccessDenied = errors.New("access denied")
// Used to check final redirects are not susceptible to open redirects. // Used to check final redirects are not susceptible to open redirects.
// Matches //, /\ and both of these with whitespace in between (eg / / or / \). // Matches //, /\ and both of these with whitespace in between (eg / / or / \).
invalidRedirectRegex = regexp.MustCompile(`[/\\](?:[\s\v]*|\.{1,2})[/\\]`) invalidRedirectRegex = regexp.MustCompile(`[/\\](?:[\s\v]*|\.{1,2})[/\\]`)
@ -969,6 +972,9 @@ func (p *OAuthProxy) Proxy(rw http.ResponseWriter, req *http.Request) {
p.SignInPage(rw, req, http.StatusForbidden) p.SignInPage(rw, req, http.StatusForbidden)
} }
case ErrAccessDenied:
p.ErrorPage(rw, http.StatusUnauthorized, "Permission Denied", "Unauthorized")
default: default:
// unknown error // unknown error
logger.Errorf("Unexpected internal error: %v", err) logger.Errorf("Unexpected internal error: %v", err)
@ -979,7 +985,9 @@ func (p *OAuthProxy) Proxy(rw http.ResponseWriter, req *http.Request) {
} }
// getAuthenticatedSession checks whether a user is authenticated and returns a session object and nil error if so // getAuthenticatedSession checks whether a user is authenticated and returns a session object and nil error if so
// Returns nil, ErrNeedsLogin if user needs to login. // Returns:
// - `nil, ErrNeedsLogin` if user needs to login.
// - `nil, ErrAccessDenied` if the authenticated user is not authorized
// Set-Cookie headers may be set on the response as a side-effect of calling this method. // Set-Cookie headers may be set on the response as a side-effect of calling this method.
func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.Request) (*sessionsapi.SessionState, error) { func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.Request) (*sessionsapi.SessionState, error) {
var session *sessionsapi.SessionState var session *sessionsapi.SessionState
@ -1000,13 +1008,13 @@ func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.R
} }
if invalidEmail || !authorized { if invalidEmail || !authorized {
logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authentication via session: removing session %s", session) logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authorization via session: removing session %s", session)
// Invalid session, clear it // Invalid session, clear it
err := p.ClearSessionCookie(rw, req) err := p.ClearSessionCookie(rw, req)
if err != nil { if err != nil {
logger.Errorf("Error clearing session cookie: %v", err) logger.Errorf("Error clearing session cookie: %v", err)
} }
return nil, ErrNeedsLogin return nil, ErrAccessDenied
} }
return session, nil return session, nil