Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 95347b2

Browse files
hugodutkahugodutka
authored
fix: allow orgs with default github provider (#16755)
This PR fixes 2 bugs: ## Problem 1 The server would fail to start when the default github provider was configured and the flag `--oauth2-github-allowed-orgs` was set. The error was ``` error: configure github oauth2: allow everyone and allowed orgs cannot be used together ``` This PR fixes it by enabling "allow everone" with the default provider only if "allowed orgs" isn't set. ## Problem 2 The default github provider uses the device flow to authorize users, and that's handled differently by our web UI than the standard oauth flow. In particular, the web UI only handles JSON responses rather than HTTP redirects. There were 2 code paths that returned redirects, and the PR changes them to return JSON messages instead if the device flow is configured.
1 parent b85ba58 commit 95347b2

File tree

3 files changed

+35
-4
lines changed

3 files changed

+35
-4
lines changed

cli/server.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1911,8 +1911,10 @@ func getGithubOAuth2ConfigParams(ctx context.Context, db database.Store, vals *c
19111911
}
19121912

19131913
params.clientID = GithubOAuth2DefaultProviderClientID
1914-
params.allowEveryone = GithubOAuth2DefaultProviderAllowEveryone
19151914
params.deviceFlow = GithubOAuth2DefaultProviderDeviceFlow
1915+
if len(params.allowOrgs) == 0 {
1916+
params.allowEveryone = GithubOAuth2DefaultProviderAllowEveryone
1917+
}
19161918

19171919
return &params, nil
19181920
}

cli/server_test.go

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -314,6 +314,7 @@ func TestServer(t *testing.T) {
314314
githubDefaultProviderEnabled string
315315
githubClientID string
316316
githubClientSecret string
317+
allowedOrg string
317318
expectGithubEnabled bool
318319
expectGithubDefaultProviderConfigured bool
319320
createUserPreStart bool
@@ -355,7 +356,9 @@ func TestServer(t *testing.T) {
355356
if tc.githubDefaultProviderEnabled != "" {
356357
args = append(args, fmt.Sprintf("--oauth2-github-default-provider-enable=%s", tc.githubDefaultProviderEnabled))
357358
}
358-
359+
if tc.allowedOrg != "" {
360+
args = append(args, fmt.Sprintf("--oauth2-github-allowed-orgs=%s", tc.allowedOrg))
361+
}
359362
inv, cfg := clitest.New(t, args...)
360363
errChan := make(chan error, 1)
361364
go func() {
@@ -439,6 +442,12 @@ func TestServer(t *testing.T) {
439442
expectGithubEnabled: true,
440443
expectGithubDefaultProviderConfigured: false,
441444
},
445+
{
446+
name: "AllowedOrg",
447+
allowedOrg: "coder",
448+
expectGithubEnabled: true,
449+
expectGithubDefaultProviderConfigured: true,
450+
},
442451
} {
443452
tc := tc
444453
t.Run(tc.name, func(t *testing.T) {

coderd/userauth.go

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -922,7 +922,17 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
922922
}
923923
}
924924
if len(selectedMemberships) == 0 {
925-
httpmw.CustomRedirectToLogin(rw, r, redirect, "You aren't a member of the authorized Github organizations!", http.StatusUnauthorized)
925+
status := http.StatusUnauthorized
926+
msg := "You aren't a member of the authorized Github organizations!"
927+
if api.GithubOAuth2Config.DeviceFlowEnabled {
928+
// In the device flow, the error is rendered client-side.
929+
httpapi.Write(ctx, rw, status, codersdk.Response{
930+
Message: "Unauthorized",
931+
Detail: msg,
932+
})
933+
} else {
934+
httpmw.CustomRedirectToLogin(rw, r, redirect, msg, status)
935+
}
926936
return
927937
}
928938
}
@@ -959,7 +969,17 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
959969
}
960970
}
961971
if allowedTeam == nil {
962-
httpmw.CustomRedirectToLogin(rw, r, redirect, fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames), http.StatusUnauthorized)
972+
msg := fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames)
973+
status := http.StatusUnauthorized
974+
if api.GithubOAuth2Config.DeviceFlowEnabled {
975+
// In the device flow, the error is rendered client-side.
976+
httpapi.Write(ctx, rw, status, codersdk.Response{
977+
Message: "Unauthorized",
978+
Detail: msg,
979+
})
980+
} else {
981+
httpmw.CustomRedirectToLogin(rw, r, redirect, msg, status)
982+
}
963983
return
964984
}
965985
}

0 commit comments

Comments
 (0)