From aef944d7210aaac3dd574d32a76043637deede0e Mon Sep 17 00:00:00 2001 From: Luis Van Slageren Date: Tue, 30 Nov 2021 20:08:17 +1100 Subject: [PATCH 1/4] Clears auth cookies if the user signed in with an email address that isn't on the allow list. --- README.md | 6 ++++++ internal/config.go | 1 + internal/server.go | 10 +++++++++- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 90b7497f..6f931198 100644 --- a/README.md +++ b/README.md @@ -303,6 +303,12 @@ All options can be supplied in any of the following ways, in the following prece Please note that when using the default [Overlay Mode](#overlay-mode) requests to this exact path will be intercepted by this service and not forwarded to your application. Use this option (or [Auth Host Mode](#auth-host-mode)) if the default `/_oauth` path will collide with an existing route in your application. +- `logout-if-invalid-email` + + When enabled, logs out users if their email address isn't found on the allow list, allowing them to retry with another email address. + + Default: `false` + - `secret` Used to sign cookies authentication, should be a random (e.g. `openssl rand -hex 16`) diff --git a/internal/config.go b/internal/config.go index 840fb6dc..2e18efba 100644 --- a/internal/config.go +++ b/internal/config.go @@ -40,6 +40,7 @@ type Config struct { SecretString string `long:"secret" env:"SECRET" description:"Secret used for signing (required)" json:"-"` Whitelist CommaSeparatedList `long:"whitelist" env:"WHITELIST" env-delim:"," description:"Only allow given email addresses, can be set multiple times"` Port int `long:"port" env:"PORT" default:"4181" description:"Port to listen on"` + LogoutIfInvalidEmail bool `long:"logout-if-invalid-email" env:"LOGOUT_IF_INVALID_EMAIL" default:"false" description:"Allow user to retry another email address if their email address isn't found on the allow list"` Providers provider.Providers `group:"providers" namespace:"providers" env-namespace:"PROVIDERS"` Rules map[string]*Rule `long:"rule.." description:"Rule definitions, param can be: \"action\", \"rule\" or \"provider\""` diff --git a/internal/server.go b/internal/server.go index b8f37a09..efbaf612 100644 --- a/internal/server.go +++ b/internal/server.go @@ -108,7 +108,15 @@ func (s *Server) AuthHandler(providerName, rule string) http.HandlerFunc { valid := ValidateEmail(email, rule) if !valid { logger.WithField("email", email).Warn("Invalid email") - http.Error(w, "Not authorized", 401) + + if config.LogoutIfInvalidEmail == true { + // The email address isn't valid so display an error and clear the cookie + // Clearing the cookie will allow the user to try another email address and avoid being trapped on 'Not authorized' + http.SetCookie(w, ClearCookie(r)) + http.Error(w, "Not authorized (Refresh to try again with a different email address)", 401) + }else { + http.Error(w, "Not authorized", 401) + } return } From fd922dfc1ac579fbe58617a8790338fe597a348e Mon Sep 17 00:00:00 2001 From: Lennard Schwarz Date: Thu, 12 Sep 2024 14:49:07 +0200 Subject: [PATCH 2/4] Remove default value, which resulted in config parse error --- internal/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/config.go b/internal/config.go index 2e18efba..61a1f583 100644 --- a/internal/config.go +++ b/internal/config.go @@ -40,7 +40,7 @@ type Config struct { SecretString string `long:"secret" env:"SECRET" description:"Secret used for signing (required)" json:"-"` Whitelist CommaSeparatedList `long:"whitelist" env:"WHITELIST" env-delim:"," description:"Only allow given email addresses, can be set multiple times"` Port int `long:"port" env:"PORT" default:"4181" description:"Port to listen on"` - LogoutIfInvalidEmail bool `long:"logout-if-invalid-email" env:"LOGOUT_IF_INVALID_EMAIL" default:"false" description:"Allow user to retry another email address if their email address isn't found on the allow list"` + LogoutIfInvalidEmail bool `long:"logout-if-invalid-email" env:"LOGOUT_IF_INVALID_EMAIL" description:"Allow user to retry another email address if their email address isn't found on the allow list"` Providers provider.Providers `group:"providers" namespace:"providers" env-namespace:"PROVIDERS"` Rules map[string]*Rule `long:"rule.." description:"Rule definitions, param can be: \"action\", \"rule\" or \"provider\""` From 20dce06929ea2ab2c9ae12b040018d47438918ad Mon Sep 17 00:00:00 2001 From: Lennard Schwarz Date: Thu, 12 Sep 2024 14:49:25 +0200 Subject: [PATCH 3/4] Simplify code --- internal/server.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/server.go b/internal/server.go index efbaf612..cbbfb4c6 100644 --- a/internal/server.go +++ b/internal/server.go @@ -109,12 +109,12 @@ func (s *Server) AuthHandler(providerName, rule string) http.HandlerFunc { if !valid { logger.WithField("email", email).Warn("Invalid email") - if config.LogoutIfInvalidEmail == true { + if config.LogoutIfInvalidEmail { // The email address isn't valid so display an error and clear the cookie // Clearing the cookie will allow the user to try another email address and avoid being trapped on 'Not authorized' http.SetCookie(w, ClearCookie(r)) http.Error(w, "Not authorized (Refresh to try again with a different email address)", 401) - }else { + } else { http.Error(w, "Not authorized", 401) } return From 92147915a2aedeffac4d4b228c4094e25d3a693f Mon Sep 17 00:00:00 2001 From: Lennard Schwarz Date: Thu, 12 Sep 2024 14:49:33 +0200 Subject: [PATCH 4/4] Add test --- internal/config_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/config_test.go b/internal/config_test.go index 27b8fdc8..983f3037 100644 --- a/internal/config_test.go +++ b/internal/config_test.go @@ -38,6 +38,7 @@ func TestConfigDefaults(t *testing.T) { assert.Equal("/_oauth", c.Path) assert.Len(c.Whitelist, 0) assert.Equal(c.Port, 4181) + assert.Equal(false, c.LogoutIfInvalidEmail) assert.Equal("select_account", c.Providers.Google.Prompt) }