gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-10 04:58:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(auth/ux): cause-aware OIDC + session error surfacing (HIGH-7 + HIGH-8 closure)

Browse Source 
Server (HIGH-7): the OIDC callback failure path now 302-redirects to
/login?error=oidc_failed&reason=<category> instead of emitting a blank
400. `category` is the existing audit `failure_category` value;
classifyOIDCFailure was extended with three new sentinel paths
(email_domain_not_allowed, email_missing_but_required, pkce_invalid)
so CRIT-5 + PKCE failures get distinguishable GUI rendering.
Audit-log observability is unchanged — the same failure_category is
written to the auth.oidc_login_failed audit row; the 302 is purely a
UX leg layered on top.

Server (HIGH-8): SessionMiddleware now stashes a cause classification
on the request context when Validate returns an error, mapping the
sentinels via classifySessionError (errors.Is-based, so wrapped
sentinels still classify) to the stable wire-strings idle_timeout /
absolute_timeout / back_channel_revoked / invalid_token. The 401
emit point in bearerSkipIfAuthenticated reads the stashed cause and
emits WWW-Authenticate: Bearer realm="certctl", error="invalid_token",
error_description=<cause> per RFC 6750 §3.

GUI (HIGH-7): LoginPage reads ?error= + ?reason= from the URL via
react-router useSearchParams and renders an operator-friendly
amber-bordered banner above the form; OIDC_FAILURE_REASON_TEXT maps
all 16 known categories with a defensive 'unspecified' fallback for
forward-compat with future server-side categories.

GUI (HIGH-8): api/client fetchJSON parses the WWW-Authenticate cause
via parseWWWAuthenticateCause and attaches it to the
'certctl:auth-required' CustomEvent detail; AuthProvider redirects
to /login?session_expired=<cause> on cause-aware 401s; LoginPage
renders a blue-bordered session-cause banner. invalid_token stays
on the current page (no hard redirect for opaque failures).

Misc cleanup: ErrorState now accepts the title/message/data-testid
form added by CRIT-4 BreakglassPage (was erroring tsc on master).

Regression matrix:
- internal/api/handler/oidc_redirect_categories_test.go pins all 16
  failure categories to the 302 + reason= location + audit-row leg
- internal/auth/session/www_authenticate_test.go pins the 4 stable
  cause categories on classifySessionError (incl. errors.Is wrapped
  sentinels) + the WWW-Authenticate emission across all 4 categories
  + the no-session-context fallback case
- internal/api/handler/auth_session_oidc_test.go: 4 pre-existing
  TestLoginCallback_*Returns400 tests updated to assert 302 + reason=
  location (the wire shape changed from 400 to 302, but the audit
  observability and behaviour-equivalent failure-classification are
  preserved)
- web/src/pages/LoginPage.test.tsx: 6 new cases pinning the failure
  banner, session-cause banner, unknown-reason fallback, and
  forward-compat 'unspecified' category

Spec: cowork/auth-bundles-fixes-2026-05-10/08-high-7-8-error-surfacing.md
Closes: HIGH-7, HIGH-8 of cowork/auth-bundles-audit-2026-05-10.md
This commit is contained in:
shankar0123
2026-05-10 21:12:11 +00:00
parent 32c97777b5
commit 2015ff46cd
10 changed files with 633 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/api/handler/auth_session_oidc.go
+20 -2
View File
@@ -258,7 +258,11 @@ func (h *AuthSessionOIDCHandler) LoginCallback(w http.ResponseWriter, r *http.Re
res, err := h.oidcSvc.HandleCallback(r.Context(), preLoginCookie.Value, code, state, clientIP, userAgent)
if err != nil {
// Uniform 400 to the wire; specific failure category in audit.
// Audit 2026-05-10 HIGH-7 — instead of a blank 400, redirect
// to /login?error=oidc_failed&reason=<category>. The LoginPage
// reads the query params and renders an operator-friendly
// alert. The audit row still carries the specific
// failure_category so server-side observability is unchanged.
category := classifyOIDCFailure(err)
h.recordAudit(r.Context(), "auth.oidc_login_failed", "anonymous", domain.ActorTypeSystem, "",
map[string]interface{}{"failure_category": category})
@@ -270,7 +274,10 @@ func (h *AuthSessionOIDCHandler) LoginCallback(w http.ResponseWriter, r *http.Re
}
// Always clear the pre-login cookie on failure.
h.clearPreLoginCookie(w)
Error(w, http.StatusBadRequest, "OIDC login failed")
// 302 to the login page; the reason categorizes the failure for
// the GUI to render. Keep the redirect target relative — the
// SPA serves /login.
http.Redirect(w, r, "/login?error=oidc_failed&reason="+category, http.StatusFound)
return
}
@@ -1073,6 +1080,17 @@ func classifyOIDCFailure(err error) string {
return "groups_missing"
case strings.Contains(msg, "jwks"):
return "jwks_unreachable"
// Audit 2026-05-10 HIGH-7 — surface CRIT-5 email-domain rejection
// + PKCE invalidation distinctly so the LoginPage can render an
// operator-friendly reason. The sentinel errors live in
// internal/auth/oidc/service.go (ErrEmailDomainNotAllowed,
// ErrEmailMissingButRequired, ErrPKCEPlainRejected).
case strings.Contains(msg, "email domain not in allowlist"):
return "email_domain_not_allowed"
case strings.Contains(msg, "requires email but token has none"):
return "email_missing_but_required"
case strings.Contains(msg, "pkce"):
return "pkce_invalid"
default:
return "unspecified"
}