enhance sso errors

Author: ArtemHoruzhenko

redisinsight/api/src/constants/error-messages.ts

@@ -86,7 +86,7 @@ export default {
   CLOUD_OAUTH_MISCONFIGURATION: 'Authorization server misconfiguration.',
   CLOUD_OAUTH_GITHUB_EMAIL_PERMISSION: 'Unable to get an email from the GitHub account. Make sure that it is available.',
   CLOUD_OAUTH_MISSED_REQUIRED_DATA: 'Unable to get required data from the user profile.',
-  CLOUD_OAUTH_GITHUB_UNKNOWN_AUTHORIZATION_REQUEST: 'Unknown authorization request.',
+  CLOUD_OAUTH_UNKNOWN_AUTHORIZATION_REQUEST: 'Unknown authorization request.',
   CLOUD_OAUTH_UNEXPECTED_ERROR: 'Unexpected error.',
 
   CLOUD_JOB_UNEXPECTED_ERROR: 'Unexpected error occurred',

redisinsight/api/src/modules/cloud/auth/cloud-auth.service.spec.ts

@@ -223,10 +223,10 @@ describe('CloudAuthService', () => {
       await expect(service['callback'](
         {
           ...mockCloudAuthGoogleCallbackQueryObject,
-          error: 'bad request',
-          error_description: 'Some properties are missing: email and lastName',
+          error: 'access_denied',
+          error_description: 'Some required properties are missing: email and lastName',
         },
-      )).rejects.toThrow(new CloudOauthMissedRequiredDataException('Some properties are missing: email and lastName'));
+      )).rejects.toThrow(new CloudOauthMissedRequiredDataException('Some required properties are missing: email and lastName'));
     });
     it('should throw an error if request not found', async () => {
       expect(service['authRequests'].size).toEqual(1);

redisinsight/api/src/modules/cloud/auth/cloud-auth.service.ts

@@ -8,6 +8,7 @@ import { CloudSessionService } from 'src/modules/cloud/session/cloud-session.ser
 import { GithubIdpCloudAuthStrategy } from 'src/modules/cloud/auth/auth-strategy/github-idp.cloud.auth-strategy';
 import { wrapHttpError } from 'src/common/utils';
 import {
+  CloudOauthGithubEmailPermissionException,
   CloudOauthMisconfigurationException, CloudOauthMissedRequiredDataException,
   CloudOauthUnknownAuthorizationRequestException,
 } from 'src/modules/cloud/auth/exceptions';
@@ -32,11 +33,23 @@ export class CloudAuthService {
     private readonly eventEmitter: EventEmitter2,
   ) {}
 
-  static getAuthorizationServerRedirectError(query: { error_description: string }) {
-    if (query?.error_description?.indexOf('properties are missing') > -1) {
-      return new CloudOauthMissedRequiredDataException(query.error_description, {
-        description: query.error_description,
-      });
+  static getAuthorizationServerRedirectError(
+    query: { error_description: string, error: string },
+    authRequest?: CloudAuthRequest,
+  ) {
+    if (
+      query?.error_description?.indexOf('propert') > -1
+      && query?.error_description?.indexOf('required') > -1
+      && query?.error_description?.indexOf('miss') > -1
+    ) {
+      return (
+        authRequest?.idpType === CloudAuthIdpType.GitHub
+          && query?.error_description?.indexOf('email') > -1
+      )
+        ? new CloudOauthGithubEmailPermissionException(query.error_description)
+        : new CloudOauthMissedRequiredDataException(query.error_description, {
+          description: query.error_description,
+        });
     }
 
     return new CloudOauthMisconfigurationException(undefined, {
@@ -68,17 +81,21 @@ export class CloudAuthService {
       callback?: Function,
     },
   ): Promise<string> {
-    const authRequest: any = await this.getAuthStrategy(options?.strategy).generateAuthRequest(sessionMetadata);
-    authRequest.callback = options?.callback;
-    authRequest.action = options?.action;
+    try {
+      const authRequest: any = await this.getAuthStrategy(options?.strategy).generateAuthRequest(sessionMetadata);
+      authRequest.callback = options?.callback;
+      authRequest.action = options?.action;
 
-    // based on requirements we must support only single auth request at the moment
-    // and logout user before
-    await this.logout(sessionMetadata);
-    this.authRequests.clear();
-    this.authRequests.set(authRequest.state, authRequest);
+      // based on requirements we must support only single auth request at the moment
+      // and logout user before
+      await this.logout(sessionMetadata);
+      this.authRequests.clear();
+      this.authRequests.set(authRequest.state, authRequest);
 
-    return CloudAuthStrategy.generateAuthUrl(authRequest).toString();
+      return CloudAuthStrategy.generateAuthUrl(authRequest).toString();
+    } catch (e) {
+      throw new CloudOauthMisconfigurationException();
+    }
   }
 
   /**
@@ -137,12 +154,12 @@ export class CloudAuthService {
       throw new CloudOauthUnknownAuthorizationRequestException();
     }
 
+    const authRequest = this.authRequests.get(query.state);
+
     if (query?.error) {
-      throw CloudAuthService.getAuthorizationServerRedirectError(query);
+      throw CloudAuthService.getAuthorizationServerRedirectError(query, authRequest);
     }
 
-    const authRequest = this.authRequests.get(query.state);
-
     // delete authRequest on this step
     // allow to redirect with authorization code only once
     this.authRequests.delete(query.state);

redisinsight/api/src/modules/cloud/auth/exceptions/cloud-oauth.unknown-authorization-request.exception.ts

@@ -3,7 +3,7 @@ import { CustomErrorCodes } from 'src/constants';
 import ERROR_MESSAGES from 'src/constants/error-messages';
 
 export class CloudOauthUnknownAuthorizationRequestException extends HttpException {
-  constructor(message = ERROR_MESSAGES.CLOUD_OAUTH_GITHUB_UNKNOWN_AUTHORIZATION_REQUEST, options?: HttpExceptionOptions) {
+  constructor(message = ERROR_MESSAGES.CLOUD_OAUTH_UNKNOWN_AUTHORIZATION_REQUEST, options?: HttpExceptionOptions) {
     const response = {
       message,
       statusCode: HttpStatus.BAD_REQUEST,

redisinsight/desktop/src/lib/cloud/cloud-oauth.handlers.ts

@@ -10,6 +10,23 @@ import { DEFAULT_SESSION_ID, DEFAULT_USER_ID } from 'apiSrc/common/constants'
 import { CloudOauthUnexpectedErrorException } from 'apiSrc/modules/cloud/auth/exceptions'
 import { CloudAuthService } from '../../../../api/dist/src/modules/cloud/auth/cloud-auth.service'
 
+export const getOauthIpcErrorResponse = (error: any): { status: CloudAuthStatus.Failed, error: {} } => {
+  let errorResponse = new CloudOauthUnexpectedErrorException().getResponse()
+
+  if (error?.getResponse) {
+    errorResponse = error.getResponse()
+  }
+
+  if (error instanceof Error) {
+    errorResponse = new CloudOauthUnexpectedErrorException(error.message).getResponse()
+  }
+
+  return {
+    status: CloudAuthStatus.Failed,
+    error: errorResponse,
+  }
+}
+
 export const getTokenCallbackFunction = (webContents: WebContents) => (response: CloudAuthResponse) => {
   webContents.send(IpcOnEvent.cloudOauthCallback, response)
   webContents.focus()
@@ -42,10 +59,9 @@ export const initCloudOauthHandlers = () => {
     } catch (e) {
       log.error(wrapErrorMessageSensitiveData(e as Error))
 
-      return {
-        status: CloudAuthStatus.Failed,
-        error: (new CloudOauthUnexpectedErrorException()).getResponse(),
-      }
+      const [currentWindow] = getWindows().values()
+
+      currentWindow?.webContents.send(IpcOnEvent.cloudOauthCallback, getOauthIpcErrorResponse(e))
     }
   })
 }