Merge pull request #4861 from penpot/niwinz-auth-oidc-reject-bugfix

🐛 Fix unexpected error when user explictly reject oidc auth
2025-01-08 07:50:43 -05:00 · 2024-07-09 14:11:59 +02:00 · 2024-07-09 14:11:59 +02:00 · ff43d43020
commit ff43d43020
parent 74622919f6 0ae8cb4979
2 changed files with 21 additions and 20 deletions
--- a/backend/src/app/auth/oidc.clj
+++ b/backend/src/app/auth/oidc.clj
@ -420,12 +420,6 @@

 (defn- get-info
  [{:keys [::provider ::setup/props] :as cfg} {:keys [params] :as request}]
-  (when-let [error (get params :error)]
-    (ex/raise :type :internal
-              :code :error-on-retrieving-code
-              :error-id error
-              :error-desc (get params :error_description)))
-
  (let [state  (get params :state)
        code   (get params :code)
        state  (tokens/verify props {:token state :iss :oauth})
@ -609,9 +603,11 @@
 (defn- callback-handler
  [cfg request]
  (try
-    (let [info    (get-info cfg request)
-          profile (get-profile cfg info)]
-      (process-callback cfg request info profile))
+    (if-let [error (dm/get-in request [:params :error])]
+      (redirect-with-error "unable-to-auth" error)
+      (let [info    (get-info cfg request)
+            profile (get-profile cfg info)]
+        (process-callback cfg request info profile)))
    (catch Throwable cause
      (l/err :hint "error on oauth process" :cause cause)
      (redirect-with-error "unable-to-auth" (ex-message cause)))))
--- a/frontend/src/app/main/data/users.cljs
+++ b/frontend/src/app/main/data/users.cljs
@ -696,15 +696,20 @@
  (ptk/reify ::show-redirect-error
    ptk/WatchEvent
    (watch [_ _ _]
-      (let [hint (case error
-                   "registration-disabled"
-                   (tr "errors.registration-disabled")
-                   "profile-blocked"
-                   (tr "errors.profile-blocked")
-                   "auth-provider-not-allowed"
-                   (tr "errors.auth-provider-not-allowed")
-                   "email-domain-not-allowed"
-                   (tr "errors.email-domain-not-allowed")
-                   :else
-                   (tr "errors.generic"))]
+      (when-let [hint (case error
+                        "registration-disabled"
+                        (tr "errors.registration-disabled")
+                        "profile-blocked"
+                        (tr "errors.profile-blocked")
+                        "auth-provider-not-allowed"
+                        (tr "errors.auth-provider-not-allowed")
+                        "email-domain-not-allowed"
+                        (tr "errors.email-domain-not-allowed")
+
+                        ;; We explicitly do not show any error here, it a explicit user operation.
+                        "unable-to-auth"
+                        nil
+
+                        (tr "errors.generic"))]
+
        (rx/of (msg/warn hint))))))