Skip to content

Commit c916f1f

Browse files
fix: remove authorize from login/logout webscope (#922)
This PR fixes the issue where oauth user fails to login with error - "no authorization header passed". The authorize check in /o/login handler returns unauthorized error for users not having login privilege.
1 parent 75cda6b commit c916f1f

File tree

2 files changed

+13
-6
lines changed

2 files changed

+13
-6
lines changed

server/src/handlers/http/modal/server.rs

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -422,10 +422,8 @@ impl Server {
422422
// get the oauth webscope
423423
pub fn get_oauth_webscope(oidc_client: Option<OpenIdClient>) -> Scope {
424424
let oauth = web::scope("/o")
425-
.service(resource("/login").route(web::get().to(oidc::login).authorize(Action::Login)))
426-
.service(
427-
resource("/logout").route(web::get().to(oidc::logout).authorize(Action::Login)),
428-
)
425+
.service(resource("/login").route(web::get().to(oidc::login)))
426+
.service(resource("/logout").route(web::get().to(oidc::logout)))
429427
.service(resource("/code").route(web::get().to(oidc::reply_login)));
430428

431429
if let Some(client) = oidc_client {

server/src/handlers/http/oidc.rs

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ use crate::{
3535
oidc::{Claims, DiscoveredClient},
3636
option::CONFIG,
3737
rbac::{
38+
self,
3839
map::{SessionKey, DEFAULT_ROLE},
3940
user::{self, User, UserType},
4041
Users,
@@ -64,13 +65,18 @@ pub async fn login(
6465
) -> Result<HttpResponse, OIDCError> {
6566
let oidc_client = req.app_data::<Data<DiscoveredClient>>();
6667
let session_key = extract_session_key_from_req(&req).ok();
67-
6868
let (session_key, oidc_client) = match (session_key, oidc_client) {
6969
(None, None) => return Ok(redirect_no_oauth_setup(query.redirect.clone())),
7070
(None, Some(client)) => return Ok(redirect_to_oidc(query, client)),
7171
(Some(session_key), client) => (session_key, client),
7272
};
73-
73+
// try authorize
74+
match Users.authorize(session_key.clone(), rbac::role::Action::Login, None, None) {
75+
rbac::Response::Authorized => (),
76+
rbac::Response::UnAuthorized | rbac::Response::ReloadRequired => {
77+
return Err(OIDCError::Unauthorized)
78+
}
79+
}
7480
match session_key {
7581
// We can exchange basic auth for session cookie
7682
SessionKey::BasicAuth { username, password } => match Users.get_user(&username) {
@@ -358,6 +364,8 @@ pub enum OIDCError {
358364
Serde(#[from] serde_json::Error),
359365
#[error("Bad Request")]
360366
BadRequest,
367+
#[error("Unauthorized")]
368+
Unauthorized,
361369
}
362370

363371
impl actix_web::ResponseError for OIDCError {
@@ -366,6 +374,7 @@ impl actix_web::ResponseError for OIDCError {
366374
Self::ObjectStorageError(_) => StatusCode::INTERNAL_SERVER_ERROR,
367375
Self::Serde(_) => StatusCode::INTERNAL_SERVER_ERROR,
368376
Self::BadRequest => StatusCode::BAD_REQUEST,
377+
Self::Unauthorized => StatusCode::UNAUTHORIZED,
369378
}
370379
}
371380

0 commit comments

Comments
 (0)