Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 6cc4a85

Browse files
EmyrkEmyrk
authored
chore: reject external auth early (#17712)
1 parent 2bdc470 commit 6cc4a85

File tree

1 file changed

+9
-0
lines changed

1 file changed

+9
-0
lines changed

coderd/workspaceagents.go

+9
Original file line numberDiff line numberDiff line change
@@ -1580,6 +1580,15 @@ func (api *API) workspaceAgentsExternalAuth(rw http.ResponseWriter, r *http.Requ
15801580
return
15811581
}
15821582

1583+
// Pre-check if the caller can read the external auth links for the owner of the
1584+
// workspace. Do this up front because a sql.ErrNoRows is expected if the user is
1585+
// in the flow of authenticating. If no row is present, the auth check is delayed
1586+
// until the user authenticates. It is preferred to reject early.
1587+
if !api.Authorize(r, policy.ActionReadPersonal, rbac.ResourceUserObject(workspace.OwnerID)) {
1588+
httpapi.Forbidden(rw)
1589+
return
1590+
}
1591+
15831592
var previousToken *database.ExternalAuthLink
15841593
// handleRetrying will attempt to continually check for a new token
15851594
// if listen is true. This is useful if an error is encountered in the

0 commit comments

Comments
 (0)