Expose OAuth2 errors, avoid redirect loop.

Closes #1775.
2025-10-30 23:27:39 +02:00 · 2016-12-19 08:42:56 +03:00
parent b83a719e37
commit e259c64bac
7 changed files with 64 additions and 6 deletions
--- a/remote/bitbucket/bitbucket.go
+++ b/remote/bitbucket/bitbucket.go
@@ -1,6 +1,7 @@
 package bitbucket

 import (
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -39,13 +40,27 @@ func New(client, secret string) remote.Remote {

 // Login authenticates an account with Bitbucket using the oauth2 protocol. The
 // Bitbucket account details are returned when the user is successfully authenticated.
-func (c *config) Login(w http.ResponseWriter, r *http.Request) (*model.User, error) {
-	redirect := httputil.GetURL(r)
+func (c *config) Login(w http.ResponseWriter, req *http.Request) (*model.User, error) {
+	redirect := httputil.GetURL(req)
 	config := c.newConfig(redirect)

-	code := r.FormValue("code")
+	// get the OAuth errors
+	if err := req.FormValue("error"); err != "" {
+		description := req.FormValue("error_description")
+		if description != "" {
+			err += " " + description
+		}
+		uri := req.FormValue("error_uri")
+		if uri != "" {
+			err += " " + uri
+		}
+		return nil, errors.New(err)
+	}
+
+	// get the OAuth code
+	code := req.FormValue("code")
 	if len(code) == 0 {
-		http.Redirect(w, r, config.AuthCodeURL("drone"), http.StatusSeeOther)
+		http.Redirect(w, req, config.AuthCodeURL("drone"), http.StatusSeeOther)
 		return nil, nil
 	}

@@ -237,8 +252,8 @@ func (c *config) Netrc(u *model.User, r *model.Repo) (*model.Netrc, error) {

 // Hook parses the incoming Bitbucket hook and returns the Repository and
 // Build details. If the hook is unsupported nil values are returned.
-func (c *config) Hook(r *http.Request) (*model.Repo, *model.Build, error) {
-	return parseHook(r)
+func (c *config) Hook(req *http.Request) (*model.Repo, *model.Build, error) {
+	return parseHook(req)
 }

 // helper function to return the bitbucket oauth2 client
--- a/remote/bitbucket/bitbucket_test.go
+++ b/remote/bitbucket/bitbucket_test.go
@@ -70,6 +70,11 @@ func Test_bitbucket(t *testing.T) {
 				_, err := c.Login(nil, r)
 				g.Assert(err != nil).IsTrue()
 			})
+			g.It("Should handle authentication errors", func() {
+				r, _ := http.NewRequest("GET", "?error=invalid_scope", nil)
+				_, err := c.Login(nil, r)
+				g.Assert(err != nil).IsTrue()
+			})
 		})

 		g.Describe("Given an access token", func() {
--- a/remote/bitbucket/fixtures/handler.go
+++ b/remote/bitbucket/fixtures/handler.go
@@ -27,6 +27,11 @@ func Handler() http.Handler {
 }

 func getOauth(c *gin.Context) {
+	switch c.PostForm("error") {
+	case "invalid_scope":
+		c.String(500, "")
+	}
+
 	switch c.PostForm("code") {
 	case "code_bad_request":
 		c.String(500, "")
--- a/remote/github/github.go
+++ b/remote/github/github.go
@@ -2,6 +2,7 @@ package github

 import (
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"net"
 	"net/http"
@@ -92,6 +93,20 @@ type client struct {
 func (c *client) Login(res http.ResponseWriter, req *http.Request) (*model.User, error) {
 	config := c.newConfig(httputil.GetURL(req))

+	// get the OAuth errors
+	if err := req.FormValue("error"); err != "" {
+		description := req.FormValue("error_description")
+		if description != "" {
+			err += " " + description
+		}
+		uri := req.FormValue("error_uri")
+		if uri != "" {
+			err += " " + uri
+		}
+		return nil, errors.New(err)
+	}
+
+	// get the OAuth code
 	code := req.FormValue("code")
 	if len(code) == 0 {
 		// TODO(bradrydzewski) we really should be using a random value here and
--- a/remote/github/github_test.go
+++ b/remote/github/github_test.go
@@ -140,6 +140,7 @@ func Test_github(t *testing.T) {
 			g.It("Should create an access token")
 			g.It("Should handle an access token error")
 			g.It("Should return the authenticated user")
+			g.It("Should handle authentication errors")
 		})
 	})
 }
--- a/remote/gitlab/gitlab.go
+++ b/remote/gitlab/gitlab.go
@@ -2,6 +2,7 @@ package gitlab

 import (
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"net"
@@ -115,6 +116,19 @@ func (g *Gitlab) Login(res http.ResponseWriter, req *http.Request) (*model.User,
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: g.SkipVerify},
 	}

+	// get the OAuth errors
+	if err := req.FormValue("error"); err != "" {
+		description := req.FormValue("error_description")
+		if description != "" {
+			err += " " + description
+		}
+		uri := req.FormValue("error_uri")
+		if uri != "" {
+			err += " " + uri
+		}
+		return nil, errors.New(err)
+	}
+
 	// get the OAuth code
 	var code = req.FormValue("code")
 	if len(code) == 0 {
--- a/shared/oauth2/oauth2.go
+++ b/shared/oauth2/oauth2.go
@@ -218,6 +218,9 @@ func (c *Config) AuthCodeURL(state string) string {
 	if err != nil {
 		panic("AuthURL malformed: " + err.Error())
 	}
+	if err := url_.Query().Get("error"); err != "" {
+		panic("AuthURL contains error: " + err)
+	}
 	q := url.Values{
 		"response_type":   {"code"},
 		"client_id":       {c.ClientId},