Skip to content

Commit ee2ff90

Browse files
ThomasK33ThomasK33
committed
refactor(oauth2): simplify authorization flow by removing middleware layer
Change-Id: Ieff16b08aeb2cf2357ada11d83fd408cc66c6c5a Signed-off-by: Thomas Kosiewski <tk@coder.com>
1 parent 071383b commit ee2ff90

File tree

3 files changed

+42
-94
lines changed

3 files changed

+42
-94
lines changed

coderd/oauth2.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,7 @@ func (api *API) deleteOAuth2ProviderAppSecret() http.HandlerFunc {
116116
// @Success 200 "Returns HTML authorization page"
117117
// @Router /oauth2/authorize [get]
118118
func (api *API) getOAuth2ProviderAppAuthorize() http.HandlerFunc {
119-
return oauth2provider.ShowAuthorizePage(api.Database, api.AccessURL)
119+
return oauth2provider.ShowAuthorizePage(api.AccessURL)
120120
}
121121

122122
// @Summary OAuth2 authorization request (POST - process authorization).
@@ -131,7 +131,7 @@ func (api *API) getOAuth2ProviderAppAuthorize() http.HandlerFunc {
131131
// @Success 302 "Returns redirect with authorization code"
132132
// @Router /oauth2/authorize [post]
133133
func (api *API) postOAuth2ProviderAppAuthorize() http.HandlerFunc {
134-
return oauth2provider.ProcessAuthorize(api.Database, api.AccessURL)
134+
return oauth2provider.ProcessAuthorize(api.Database)
135135
}
136136

137137
// @Summary OAuth2 token exchange.

coderd/oauth2provider/authorize.go

Lines changed: 40 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ import (
1616
"github.com/coder/coder/v2/coderd/httpapi"
1717
"github.com/coder/coder/v2/coderd/httpmw"
1818
"github.com/coder/coder/v2/codersdk"
19+
"github.com/coder/coder/v2/site"
1920
)
2021

2122
type authorizeParams struct {
@@ -68,15 +69,46 @@ func extractAuthorizeParams(r *http.Request, callbackURL *url.URL) (authorizePar
6869

6970
// ShowAuthorizePage handles GET /oauth2/authorize requests to display the HTML authorization page.
7071
// It uses authorizeMW which intercepts GET requests to show the authorization form.
71-
func ShowAuthorizePage(db database.Store, accessURL *url.URL) http.HandlerFunc {
72-
handler := authorizeMW(accessURL)(ProcessAuthorize(db, accessURL))
73-
return handler.ServeHTTP
72+
func ShowAuthorizePage(accessURL *url.URL) http.HandlerFunc {
73+
return func(rw http.ResponseWriter, r *http.Request) {
74+
app := httpmw.OAuth2ProviderApp(r)
75+
ua := httpmw.UserAuthorization(r.Context())
76+
77+
callbackURL, err := url.Parse(app.CallbackURL)
78+
if err != nil {
79+
site.RenderStaticErrorPage(rw, r, site.ErrorPageData{Status: http.StatusInternalServerError, HideStatus: false, Title: "Internal Server Error", Description: err.Error(), RetryEnabled: false, DashboardURL: accessURL.String(), Warnings: nil})
80+
return
81+
}
82+
83+
params, validationErrs, err := extractAuthorizeParams(r, callbackURL)
84+
if err != nil {
85+
errStr := make([]string, len(validationErrs))
86+
for i, err := range validationErrs {
87+
errStr[i] = err.Detail
88+
}
89+
site.RenderStaticErrorPage(rw, r, site.ErrorPageData{Status: http.StatusBadRequest, HideStatus: false, Title: "Invalid Query Parameters", Description: "One or more query parameters are missing or invalid.", RetryEnabled: false, DashboardURL: accessURL.String(), Warnings: errStr})
90+
return
91+
}
92+
93+
cancel := params.redirectURL
94+
cancelQuery := params.redirectURL.Query()
95+
cancelQuery.Add("error", "access_denied")
96+
cancel.RawQuery = cancelQuery.Encode()
97+
98+
site.RenderOAuthAllowPage(rw, r, site.RenderOAuthAllowData{
99+
AppIcon: app.Icon,
100+
AppName: app.Name,
101+
CancelURI: cancel.String(),
102+
RedirectURI: r.URL.String(),
103+
Username: ua.FriendlyName,
104+
})
105+
}
74106
}
75107

76108
// ProcessAuthorize handles POST /oauth2/authorize requests to process the user's authorization decision
77109
// and generate an authorization code. GET requests are handled by authorizeMW.
78-
func ProcessAuthorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
79-
handler := func(rw http.ResponseWriter, r *http.Request) {
110+
func ProcessAuthorize(db database.Store) http.HandlerFunc {
111+
return func(rw http.ResponseWriter, r *http.Request) {
80112
ctx := r.Context()
81113
apiKey := httpmw.APIKey(r)
82114
app := httpmw.OAuth2ProviderApp(r)
@@ -159,9 +191,8 @@ func ProcessAuthorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
159191
}
160192
params.redirectURL.RawQuery = newQuery.Encode()
161193

162-
http.Redirect(rw, r, params.redirectURL.String(), http.StatusTemporaryRedirect)
194+
// (ThomasK33): Use a 302 redirect as some (external) OAuth 2 apps and browsers
195+
// do not work with the 307.
196+
http.Redirect(rw, r, params.redirectURL.String(), http.StatusFound)
163197
}
164-
165-
// Always wrap with its custom mw.
166-
return authorizeMW(accessURL)(http.HandlerFunc(handler)).ServeHTTP
167198
}

coderd/oauth2provider/middleware.go

Lines changed: 0 additions & 83 deletions
This file was deleted.

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy