fix allowed orgs with default github provider

hugodutka · hugodutka · commit 600d72acbc12 · 2025-02-28T14:33:03.000Z
diff --git a/cli/server.go b/cli/server.go
@@ -1911,8 +1911,10 @@ func getGithubOAuth2ConfigParams(ctx context.Context, db database.Store, vals *c
 	}
 
 	params.clientID = GithubOAuth2DefaultProviderClientID
-	params.allowEveryone = GithubOAuth2DefaultProviderAllowEveryone
 	params.deviceFlow = GithubOAuth2DefaultProviderDeviceFlow
+	if len(params.allowOrgs) == 0 {
+		params.allowEveryone = GithubOAuth2DefaultProviderAllowEveryone
+	}
 
 	return &params, nil
 }
diff --git a/cli/server_test.go b/cli/server_test.go
@@ -314,6 +314,7 @@ func TestServer(t *testing.T) {
 			githubDefaultProviderEnabled          string
 			githubClientID                        string
 			githubClientSecret                    string
+			allowedOrg                            string
 			expectGithubEnabled                   bool
 			expectGithubDefaultProviderConfigured bool
 			createUserPreStart                    bool
@@ -355,7 +356,9 @@ func TestServer(t *testing.T) {
 			if tc.githubDefaultProviderEnabled != "" {
 				args = append(args, fmt.Sprintf("--oauth2-github-default-provider-enable=%s", tc.githubDefaultProviderEnabled))
 			}
-
+			if tc.allowedOrg != "" {
+				args = append(args, fmt.Sprintf("--oauth2-github-allowed-orgs=%s", tc.allowedOrg))
+			}
 			inv, cfg := clitest.New(t, args...)
 			errChan := make(chan error, 1)
 			go func() {
@@ -439,6 +442,12 @@ func TestServer(t *testing.T) {
 				expectGithubEnabled:                   true,
 				expectGithubDefaultProviderConfigured: false,
 			},
+			{
+				name:                                  "AllowedOrg",
+				allowedOrg:                            "coder",
+				expectGithubEnabled:                   true,
+				expectGithubDefaultProviderConfigured: true,
+			},
 		} {
 			tc := tc
 			t.Run(tc.name, func(t *testing.T) {
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -922,7 +922,17 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 			}
 		}
 		if len(selectedMemberships) == 0 {
-			httpmw.CustomRedirectToLogin(rw, r, redirect, "You aren't a member of the authorized Github organizations!", http.StatusUnauthorized)
+			status := http.StatusUnauthorized
+			msg := "You aren't a member of the authorized Github organizations!"
+			if api.GithubOAuth2Config.DeviceFlowEnabled {
+				// In the device flow, the error is rendered client-side.
+				httpapi.Write(ctx, rw, status, codersdk.Response{
+					Message: "Unauthorized",
+					Detail:  msg,
+				})
+			} else {
+				httpmw.CustomRedirectToLogin(rw, r, redirect, msg, status)
+			}
 			return
 		}
 	}
@@ -959,7 +969,17 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 			}
 		}
 		if allowedTeam == nil {
-			httpmw.CustomRedirectToLogin(rw, r, redirect, fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames), http.StatusUnauthorized)
+			msg := fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames)
+			status := http.StatusUnauthorized
+			if api.GithubOAuth2Config.DeviceFlowEnabled {
+				// In the device flow, the error is rendered client-side.
+				httpapi.Write(ctx, rw, status, codersdk.Response{
+					Message: "Unauthorized",
+					Detail:  msg,
+				})
+			} else {
+				httpmw.CustomRedirectToLogin(rw, r, redirect, msg, status)
+			}
 			return
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -1911,8 +1911,10 @@ func getGithubOAuth2ConfigParams(ctx context.Context, db database.Store, vals *c`
`1911`	`1911`	`}`
`1912`	`1912`
`1913`	`1913`	`params.clientID = GithubOAuth2DefaultProviderClientID`
`1914`		`- params.allowEveryone = GithubOAuth2DefaultProviderAllowEveryone`
`1915`	`1914`	`params.deviceFlow = GithubOAuth2DefaultProviderDeviceFlow`
	`1915`	`+ if len(params.allowOrgs) == 0 {`
	`1916`	`+ params.allowEveryone = GithubOAuth2DefaultProviderAllowEveryone`
	`1917`	`+ }`
`1916`	`1918`
`1917`	`1919`	`return &params, nil`
`1918`	`1920`	`}`
Original file line number	Diff line number	Diff line change
`@@ -922,7 +922,17 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`922`	`922`	`}`
`923`	`923`	`}`
`924`	`924`	`if len(selectedMemberships) == 0 {`
`925`		`- httpmw.CustomRedirectToLogin(rw, r, redirect, "You aren't a member of the authorized Github organizations!", http.StatusUnauthorized)`
	`925`	`+ status := http.StatusUnauthorized`
	`926`	`+ msg := "You aren't a member of the authorized Github organizations!"`
	`927`	`+ if api.GithubOAuth2Config.DeviceFlowEnabled {`
	`928`	`+ // In the device flow, the error is rendered client-side.`
	`929`	`+ httpapi.Write(ctx, rw, status, codersdk.Response{`
	`930`	`+ Message: "Unauthorized",`
	`931`	`+ Detail: msg,`
	`932`	`+ })`
	`933`	`+ } else {`
	`934`	`+ httpmw.CustomRedirectToLogin(rw, r, redirect, msg, status)`
	`935`	`+ }`
`926`	`936`	`return`
`927`	`937`	`}`
`928`	`938`	`}`
`@@ -959,7 +969,17 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`959`	`969`	`}`
`960`	`970`	`}`
`961`	`971`	`if allowedTeam == nil {`
`962`		`- httpmw.CustomRedirectToLogin(rw, r, redirect, fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames), http.StatusUnauthorized)`
	`972`	`+ msg := fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames)`
	`973`	`+ status := http.StatusUnauthorized`
	`974`	`+ if api.GithubOAuth2Config.DeviceFlowEnabled {`
	`975`	`+ // In the device flow, the error is rendered client-side.`
	`976`	`+ httpapi.Write(ctx, rw, status, codersdk.Response{`
	`977`	`+ Message: "Unauthorized",`
	`978`	`+ Detail: msg,`
	`979`	`+ })`
	`980`	`+ } else {`
	`981`	`+ httpmw.CustomRedirectToLogin(rw, r, redirect, msg, status)`
	`982`	`+ }`
`963`	`983`	`return`
`964`	`984`	`}`
`965`	`985`	`}`