Skip to content

Commit

Permalink
Allow Redeem() to fail with a 403
Browse files Browse the repository at this point in the history 
Returning the typed error will return an Invalid Account error instead
of a 500.
  • Loading branch information
@smarterclayton
smarterclayton committed Apr 27, 2017
1 parent ea2540b commit 30dd718
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 0 deletions.
5 changes: 5 additions & 0 deletions oauthproxy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -524,6 +524,11 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {

session, err := p.redeemCode(req.Host, req.Form.Get("code"))
if err != nil {
if err == providers.ErrPermissionDenied {
log.Printf("%s Permission Denied: user is unauthorized when redeeming token", remoteAddr)
p.ErrorPage(rw, 403, "Permission Denied", "Invalid Account")
return
}
log.Printf("%s error redeeming code %s", remoteAddr, err)
p.ErrorPage(rw, 500, "Internal Error", "Internal Error")
return
Expand Down
5 changes: 5 additions & 0 deletions providers/providers.go
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package providers

import (
"errors"

"github.com/bitly/oauth2_proxy/cookie"
)

Expand All @@ -16,6 +18,9 @@ type Provider interface {
CookieForSession(*SessionState, *cookie.Cipher) (string, error)
}

// ErrPermissionDenied may be returned from Redeem() to indicate the user is not allowed to login.
var ErrPermissionDenied = errors.New("permission denied")

func New(provider string, p *ProviderData) Provider {
switch provider {
case "myusa":
Expand Down

0 comments on commit 30dd718

Please sign in to comment.