fix: only use groups in OAuth

2025-10-28 04:35:40 +00:00 · 2025-05-01 22:00:37 +03:00
parent 5278fbea68
commit a98a91a394
3 changed files with 68 additions and 46 deletions
--- a/frontend/src/pages/continue-page.tsx
+++ b/frontend/src/pages/continue-page.tsx
@@ -70,7 +70,7 @@ export const ContinuePage = () => {
        </Button>
        <Button
          fullWidth
-          mt="sm"
+          mt="xs"
          color="gray"
          onClick={() => (window.location.href = "/")}
        >
@@ -110,7 +110,7 @@ export const ContinuePage = () => {
        </Button>
        <Button
          fullWidth
-          mt="sm"
+          mt="xs"
          color="gray"
          onClick={() => (window.location.href = "/")}
        >
--- a/frontend/src/pages/unauthorized-page.tsx
+++ b/frontend/src/pages/unauthorized-page.tsx
@@ -2,8 +2,9 @@ import { Button, Code, Paper, Text } from "@mantine/core";
 import { Layout } from "../components/layouts/layout";
 import { Navigate } from "react-router";
 import { Trans, useTranslation } from "react-i18next";
-import React from "react";
+import React, { useEffect } from "react";
 import { isValidQuery } from "../utils/utils";
+import { useIsMounted } from "../lib/hooks/use-is-mounted";

 export const UnauthorizedPage = () => {
  const queryString = window.location.search;
@@ -12,13 +13,31 @@ export const UnauthorizedPage = () => {
  const groupErr = params.get("groupErr") ?? "";
  const resource = params.get("resource") ?? "";

+  const [isGroupErr, setIsGroupErr] = React.useState(false);
+
+  const useMounted = useIsMounted();
+
+  useEffect(() => {
+    if (useMounted()) {
+      if (isValidQuery(groupErr)) {
+        if (groupErr === "true") {
+          setIsGroupErr(true);
+          return;
+        }
+        setIsGroupErr(false);
+        return;
+      }
+      setIsGroupErr(false);
+    }
+  }, []);
+
  const { t } = useTranslation();

  if (!isValidQuery(username)) {
    return <Navigate to="/" />;
  }

-  if (isValidQuery(resource) && !isValidQuery(groupErr)) {
+  if (isValidQuery(resource) && !isGroupErr) {
    return (
      <UnauthorizedLayout>
        <Trans
@@ -31,7 +50,7 @@ export const UnauthorizedPage = () => {
    );
  }

-  if (isValidQuery(groupErr) && isValidQuery(resource)) {
+  if (isGroupErr && isValidQuery(resource)) {
    return (
      <UnauthorizedLayout>
        <Trans
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -75,6 +75,8 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 	// Get the container labels
 	labels, err := h.Docker.GetLabels(appId)

+	log.Debug().Interface("labels", labels).Msg("Got labels")
+
 	// Check if there was an error
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to get container labels")
@@ -183,54 +185,55 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 			return
 		}

-		log.Debug().Interface("labels", labels).Msg("Got labels")
+		// Check groups if using OAuth
+		if userContext.OAuth {
+			// Check if user is in required groups
+			groupOk := h.Auth.OAuthGroup(c, userContext, labels)

-		// Check if user is in required groups
-		groupOk := h.Auth.OAuthGroup(c, userContext, labels)
+			log.Debug().Bool("groupOk", groupOk).Msg("Checking if user is in required groups")

-		log.Debug().Bool("groupOk", groupOk).Msg("Checking if user is in required groups")
+			// The user is not allowed to access the app
+			if !groupOk {
+				log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User is not in required groups")

-		// The user is not allowed to access the app
-		if !groupOk {
-			log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User is not in required groups")
+				// Set WWW-Authenticate header
+				c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")

-			// Set WWW-Authenticate header
-			c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+				if proxy.Proxy == "nginx" || !isBrowser {
+					c.JSON(401, gin.H{
+						"status":  401,
+						"message": "Unauthorized",
+					})
+					return
+				}

-			if proxy.Proxy == "nginx" || !isBrowser {
-				c.JSON(401, gin.H{
-					"status":  401,
-					"message": "Unauthorized",
-				})
+				// Values
+				values := types.UnauthorizedQuery{
+					Resource: strings.Split(host, ".")[0],
+					GroupErr: true,
+				}
+
+				// Use either username or email
+				if userContext.OAuth {
+					values.Username = userContext.Email
+				} else {
+					values.Username = userContext.Username
+				}
+
+				// Build query
+				queries, err := query.Values(values)
+
+				// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
+				if err != nil {
+					log.Error().Err(err).Msg("Failed to build queries")
+					c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+					return
+				}
+
+				// We are using caddy/traefik so redirect
+				c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
 				return
 			}
-
-			// Values
-			values := types.UnauthorizedQuery{
-				Resource: strings.Split(host, ".")[0],
-				GroupErr: true,
-			}
-
-			// Use either username or email
-			if userContext.OAuth {
-				values.Username = userContext.Email
-			} else {
-				values.Username = userContext.Username
-			}
-
-			// Build query
-			queries, err := query.Values(values)
-
-			// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
-			if err != nil {
-				log.Error().Err(err).Msg("Failed to build queries")
-				c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
-				return
-			}
-
-			// We are using caddy/traefik so redirect
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
-			return
 		}

 		c.Header("Remote-User", utils.SanitizeHeader(userContext.Username))