From c916f1fff7972f2d3bb0c5d4ad9263ef7d7d7a11 Mon Sep 17 00:00:00 2001
From: Nikhil Sinha <131262146+nikhilsinhaparseable@users.noreply.github.com>
Date: Wed, 11 Sep 2024 15:00:42 +0530
Subject: [PATCH] fix: remove authorize from login/logout webscope (#922)

This PR fixes the issue where oauth user fails to login with
error - "no authorization header passed". The authorize
check in /o/login handler returns unauthorized error for users
not having login privilege.
---
 server/src/handlers/http/modal/server.rs |  6 ++----
 server/src/handlers/http/oidc.rs         | 13 +++++++++++--
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/server/src/handlers/http/modal/server.rs b/server/src/handlers/http/modal/server.rs
index 67586be94..341b0a107 100644
--- a/server/src/handlers/http/modal/server.rs
+++ b/server/src/handlers/http/modal/server.rs
@@ -422,10 +422,8 @@ impl Server {
     // get the oauth webscope
     pub fn get_oauth_webscope(oidc_client: Option<OpenIdClient>) -> Scope {
         let oauth = web::scope("/o")
-            .service(resource("/login").route(web::get().to(oidc::login).authorize(Action::Login)))
-            .service(
-                resource("/logout").route(web::get().to(oidc::logout).authorize(Action::Login)),
-            )
+            .service(resource("/login").route(web::get().to(oidc::login)))
+            .service(resource("/logout").route(web::get().to(oidc::logout)))
             .service(resource("/code").route(web::get().to(oidc::reply_login)));
 
         if let Some(client) = oidc_client {
diff --git a/server/src/handlers/http/oidc.rs b/server/src/handlers/http/oidc.rs
index bcc749225..90c68aa54 100644
--- a/server/src/handlers/http/oidc.rs
+++ b/server/src/handlers/http/oidc.rs
@@ -35,6 +35,7 @@ use crate::{
     oidc::{Claims, DiscoveredClient},
     option::CONFIG,
     rbac::{
+        self,
         map::{SessionKey, DEFAULT_ROLE},
         user::{self, User, UserType},
         Users,
@@ -64,13 +65,18 @@ pub async fn login(
 ) -> Result<HttpResponse, OIDCError> {
     let oidc_client = req.app_data::<Data<DiscoveredClient>>();
     let session_key = extract_session_key_from_req(&req).ok();
-
     let (session_key, oidc_client) = match (session_key, oidc_client) {
         (None, None) => return Ok(redirect_no_oauth_setup(query.redirect.clone())),
         (None, Some(client)) => return Ok(redirect_to_oidc(query, client)),
         (Some(session_key), client) => (session_key, client),
     };
-
+    // try authorize
+    match Users.authorize(session_key.clone(), rbac::role::Action::Login, None, None) {
+        rbac::Response::Authorized => (),
+        rbac::Response::UnAuthorized | rbac::Response::ReloadRequired => {
+            return Err(OIDCError::Unauthorized)
+        }
+    }
     match session_key {
         // We can exchange basic auth for session cookie
         SessionKey::BasicAuth { username, password } => match Users.get_user(&username) {
@@ -358,6 +364,8 @@ pub enum OIDCError {
     Serde(#[from] serde_json::Error),
     #[error("Bad Request")]
     BadRequest,
+    #[error("Unauthorized")]
+    Unauthorized,
 }
 
 impl actix_web::ResponseError for OIDCError {
@@ -366,6 +374,7 @@ impl actix_web::ResponseError for OIDCError {
             Self::ObjectStorageError(_) => StatusCode::INTERNAL_SERVER_ERROR,
             Self::Serde(_) => StatusCode::INTERNAL_SERVER_ERROR,
             Self::BadRequest => StatusCode::BAD_REQUEST,
+            Self::Unauthorized => StatusCode::UNAUTHORIZED,
         }
     }