fix: redirect unauthorized git users to login screen (#10995)

Kira-Pilot · web-flow · commit 091fdd676164 · 2023-12-07T09:19:31.000-05:00
* fix: redirect to login screen if unauthorized git user

* consolidated language

* fix redirect
diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -538,3 +538,18 @@ func RedirectToLogin(rw http.ResponseWriter, r *http.Request, dashboardURL *url.
 	// (like temporary redirect does).
 	http.Redirect(rw, r, u.String(), http.StatusSeeOther)
 }
+
+// CustomRedirectToLogin redirects the user to the login page with the `message` and
+// `redirect` query parameters set, with a provided code
+func CustomRedirectToLogin(rw http.ResponseWriter, r *http.Request, redirect string, message string, code int) {
+	q := url.Values{}
+	q.Add("message", message)
+	q.Add("redirect", redirect)
+
+	u := &url.URL{
+		Path:     "/login",
+		RawQuery: q.Encode(),
+	}
+
+	http.Redirect(rw, r, u.String(), code)
+}
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -510,6 +510,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 
 	var selectedMemberships []*github.Membership
 	var organizationNames []string
+	redirect := state.Redirect
 	if !api.GithubOAuth2Config.AllowEveryone {
 		memberships, err := api.GithubOAuth2Config.ListOrganizationMemberships(ctx, oauthClient)
 		if err != nil {
@@ -535,9 +536,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 			}
 		}
 		if len(selectedMemberships) == 0 {
-			httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
-				Message: "You aren't a member of the authorized Github organizations!",
-			})
+			httpmw.CustomRedirectToLogin(rw, r, redirect, "You aren't a member of the authorized Github organizations!", http.StatusUnauthorized)
 			return
 		}
 	}
@@ -574,9 +573,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 			}
 		}
 		if allowedTeam == nil {
-			httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
-				Message: fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames),
-			})
+			httpmw.CustomRedirectToLogin(rw, r, redirect, fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames), http.StatusUnauthorized)
 			return
 		}
 	}
@@ -658,7 +655,6 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 		http.SetCookie(rw, cookie)
 	}
 
-	redirect := state.Redirect
 	if redirect == "" {
 		redirect = "/"
 	}
diff --git a/site/src/pages/LoginPage/LoginPageView.tsx b/site/src/pages/LoginPage/LoginPageView.tsx
@@ -24,7 +24,7 @@ export const LoginPageView: FC<LoginPageViewProps> = ({
   const redirectTo = retrieveRedirect(location.search);
   // This allows messages to be displayed at the top of the sign in form.
   // Helpful for any redirects that want to inform the user of something.
-  const info = new URLSearchParams(location.search).get("info") || undefined;
+  const message = new URLSearchParams(location.search).get("message");
   const applicationName = getApplicationName();
   const logoURL = getLogoURL();
   const applicationLogo = logoURL ? (
@@ -52,7 +52,7 @@ export const LoginPageView: FC<LoginPageViewProps> = ({
           redirectTo={redirectTo}
           isSigningIn={isSigningIn}
           error={error}
-          info={info}
+          message={message}
           onSubmit={onSignIn}
         />
         <footer css={styles.footer}>
diff --git a/site/src/pages/LoginPage/SignInForm.tsx b/site/src/pages/LoginPage/SignInForm.tsx
@@ -1,5 +1,5 @@
 import { type Interpolation, type Theme } from "@emotion/react";
-import { type FC } from "react";
+import { ReactNode, type FC } from "react";
 import type { AuthMethods } from "api/typesGenerated";
 import { PasswordSignInForm } from "./PasswordSignInForm";
 import { OAuthSignInForm } from "./OAuthSignInForm";
@@ -63,7 +63,7 @@ export interface SignInFormProps {
   isSigningIn: boolean;
   redirectTo: string;
   error?: unknown;
-  info?: string;
+  message?: ReactNode;
   authMethods?: AuthMethods;
   onSubmit: (credentials: { email: string; password: string }) => void;
 }
@@ -73,7 +73,7 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
   redirectTo,
   isSigningIn,
   error,
-  info,
+  message,
   onSubmit,
 }) => {
   const oAuthEnabled = Boolean(
@@ -91,9 +91,9 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
         </div>
       )}
 
-      {Boolean(info) && Boolean(error) && (
+      {message && (
         <div css={styles.alert}>
-          <Alert severity="info">{info}</Alert>
+          <Alert severity="info">{message}</Alert>
         </div>
       )}
 
diff --git a/site/src/pages/UserSettingsPage/SecurityPage/SingleSignOnSection.tsx b/site/src/pages/UserSettingsPage/SecurityPage/SingleSignOnSection.tsx
@@ -62,7 +62,7 @@ export const useSingleSignOnSection = () => {
         // The redirect on success should be back to the login page with a nice message.
         // The user should be logged out if this worked.
         encodeURIComponent(
-          `/login?info=Login type has been changed to ${loginTypeMsg}. Log in again using the new method.`,
+          `/login?message=Login type has been changed to ${loginTypeMsg}. Log in again using the new method.`,
         ),
       );
     },

Original file line number	Diff line number	Diff line change
`@@ -510,6 +510,7 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`510`	`510`
`511`	`511`	`var selectedMemberships []*github.Membership`
`512`	`512`	`var organizationNames []string`
	`513`	`+ redirect := state.Redirect`
`513`	`514`	`if !api.GithubOAuth2Config.AllowEveryone {`
`514`	`515`	`memberships, err := api.GithubOAuth2Config.ListOrganizationMemberships(ctx, oauthClient)`
`515`	`516`	`if err != nil {`
`@@ -535,9 +536,7 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`535`	`536`	`}`
`536`	`537`	`}`
`537`	`538`	`if len(selectedMemberships) == 0 {`
`538`		`- httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{`
`539`		`- Message: "You aren't a member of the authorized Github organizations!",`
`540`		`- })`
	`539`	`+ httpmw.CustomRedirectToLogin(rw, r, redirect, "You aren't a member of the authorized Github organizations!", http.StatusUnauthorized)`
`541`	`540`	`return`
`542`	`541`	`}`
`543`	`542`	`}`
`@@ -574,9 +573,7 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`574`	`573`	`}`
`575`	`574`	`}`
`576`	`575`	`if allowedTeam == nil {`
`577`		`- httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{`
`578`		`- Message: fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames),`
`579`		`- })`
	`576`	`+ httpmw.CustomRedirectToLogin(rw, r, redirect, fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames), http.StatusUnauthorized)`
`580`	`577`	`return`
`581`	`578`	`}`
`582`	`579`	`}`
`@@ -658,7 +655,6 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`658`	`655`	`http.SetCookie(rw, cookie)`
`659`	`656`	`}`
`660`	`657`
`661`		`- redirect := state.Redirect`
`662`	`658`	`if redirect == "" {`
`663`	`659`	`redirect = "/"`
`664`	`660`	`}`