chore: only redirect if login URL is overridden (chainloop-dev#1876)

jiparis · web-flow · commit 3ced9603edac · 2025-03-04T16:44:28.000+01:00
Signed-off-by: Jose I. Paris &lt;jiparis@chainloop.dev&gt;
diff --git a/app/controlplane/internal/service/auth.go b/app/controlplane/internal/service/auth.go
@@ -155,7 +155,8 @@ func NewAuthService(userUC *biz.UserUseCase, orgUC *biz.OrganizationUseCase, mUC
 }
 
 type AuthURLs struct {
-	Login, callback string
+	Login, callback   string
+	loginIsOverridden bool
 }
 
 // urlScheme is deprecated, now it will be inferred from the serverConfig externalURL
@@ -179,6 +180,8 @@ func getAuthURLs(serverConfig *conf.Server_HTTP, loginURLOverride string) (*Auth
 	// Override the login URL if needed
 	if loginURLOverride != "" {
 		urls.Login = loginURLOverride
+		// denote it's been overridden
+		urls.loginIsOverridden = true
 	}
 
 	return urls, nil
@@ -274,8 +277,14 @@ func (c *upstreamOIDCclaims) preferredEmail() string {
 
 func callbackHandler(svc *AuthService, w http.ResponseWriter, r *http.Request) *oauthResp {
 	ctx := context.Background()
-	// if OIDC provider returns an error, redirect to the login page to and show it to the user
+	// if OIDC provider returns an error, show the error to the user
 	if desc := r.URL.Query().Get(oidcErrorParam); desc != "" {
+		// Do not redirect if there is no dedicated login page
+		if !svc.AuthURLs.loginIsOverridden {
+			return newOauthResp(http.StatusUnauthorized, errors.New(desc), true)
+		}
+
+		// redirect to the login page to and show it to the user
 		redirectURL, err := url.Parse(svc.AuthURLs.Login)
 		if err != nil {
 			return newOauthResp(http.StatusInternalServerError, fmt.Errorf("failed to redirect to login: %w", err), false)
@@ -285,7 +294,7 @@ func callbackHandler(svc *AuthService, w http.ResponseWriter, r *http.Request) *
 		q.Set(oidcErrorParam, desc)
 		redirectURL.RawQuery = q.Encode()
 
-		return &oauthResp{http.StatusUnauthorized, errors.New(desc), true, redirectURL}
+		return &oauthResp{http.StatusUnauthorized, nil, true, redirectURL}
 	}
 
 	// Get information from google OIDC token
diff --git a/app/controlplane/internal/service/auth_test.go b/app/controlplane/internal/service/auth_test.go
@@ -65,13 +65,13 @@ func TestGetAuthURLs(t *testing.T) {
 			name:             "external with override",
 			config:           &conf.Server_HTTP{Addr: "1.2.3.4", ExternalUrl: "https://foo.com"},
 			loginURLOverride: "https://foo.override.com/auth/login",
-			want:             &AuthURLs{callback: "https://foo.com/auth/callback", Login: "https://foo.override.com/auth/login"},
+			want:             &AuthURLs{callback: "https://foo.com/auth/callback", Login: "https://foo.override.com/auth/login", loginIsOverridden: true},
 		},
 		{
 			name:             "internal with override",
 			config:           internalServer,
 			loginURLOverride: "https://foo.override.com/auth/login",
-			want:             &AuthURLs{callback: "http://1.2.3.4/auth/callback", Login: "https://foo.override.com/auth/login"},
+			want:             &AuthURLs{callback: "http://1.2.3.4/auth/callback", Login: "https://foo.override.com/auth/login", loginIsOverridden: true},
 		},
 	}
 
