Skip to content

Commit ff35a38

Browse files
committed
Show proper error on 409 due to auth error
1 parent 0956c17 commit ff35a38

4 files changed

Lines changed: 40 additions & 1 deletion

File tree

packages/web-runtime/src/pages/accessDenied.vue

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@ export default defineComponent({
5151
const { currentTheme } = storeToRefs(themeStore)
5252
const configStore = useConfigStore()
5353
const redirectUrlQuery = useRouteQuery('redirectUrl')
54+
const reasonQuery = useRouteQuery('reason')
5455
5556
const { $gettext } = useGettext()
5657
@@ -62,6 +63,11 @@ export default defineComponent({
6263
return $gettext('Not logged in')
6364
})
6465
const cardHint = computed(() => {
66+
if (queryItemAsString(unref(reasonQuery)) === 'lowAssuranceLevel') {
67+
return $gettext(
68+
'Please login to your CERN account using the CERN credentials instead of a guest account.'
69+
)
70+
}
6571
return $gettext(
6672
'This could be because of a routine safety log out, or because your account is either inactive or not yet authorized for use. Please try logging in after a while or seek help from your Administrator.'
6773
)

packages/web-runtime/src/router/setupAuthGuard.ts

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,9 @@ export const setupAuthGuard = (router: Router) => {
4747

4848
if (isUserContextRequired(router, to)) {
4949
if (!authStore.userContextReady) {
50+
if (authService.lowAssuranceError) {
51+
return { name: 'accessDenied', query: { reason: 'lowAssuranceLevel' } }
52+
}
5053
if (unref(isDelegatingAuthentication)) {
5154
return { path: '/web-oidc-callback' }
5255
}

packages/web-runtime/src/services/auth/authService.ts

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
import { ErrorResponse } from 'oidc-client-ts'
12
import { UserManager } from './userManager'
23
import { PublicLinkManager } from './publicLinkManager'
34
import {
@@ -44,6 +45,7 @@ export class AuthService implements AuthServiceInterface {
4445
private accessTokenExpiryThreshold = 10
4546

4647
public hasAuthErrorOccurred: boolean
48+
public lowAssuranceError: boolean
4749

4850
public initialize(
4951
configStore: ConfigStore,
@@ -60,6 +62,7 @@ export class AuthService implements AuthServiceInterface {
6062
this.clientService = clientService
6163
this.router = router
6264
this.hasAuthErrorOccurred = false
65+
this.lowAssuranceError = false
6366
this.ability = ability
6467
this.language = language
6568
this.userStore = userStore
@@ -165,6 +168,10 @@ export class AuthService implements AuthServiceInterface {
165168
try {
166169
await this.userManager.updateContext(user.access_token, fetchUserData)
167170
} catch (e) {
171+
if (this.isLowAssuranceLevelError(e)) {
172+
this.lowAssuranceError = true
173+
return
174+
}
168175
console.error(e)
169176
await this.handleAuthError(unref(this.router.currentRoute))
170177
}
@@ -227,6 +234,10 @@ export class AuthService implements AuthServiceInterface {
227234
this.tokenTimerInitialized = true
228235
}
229236
} catch (e) {
237+
if (this.isLowAssuranceLevelError(e)) {
238+
this.lowAssuranceError = true
239+
return
240+
}
230241
console.error(e)
231242
await this.handleAuthError(unref(this.router.currentRoute))
232243
}
@@ -269,6 +280,10 @@ export class AuthService implements AuthServiceInterface {
269280
...(redirectRoute.query && { query: redirectRoute.query })
270281
})
271282
} catch (e) {
283+
if (this.isLowAssuranceLevelError(e)) {
284+
this.lowAssuranceError = true
285+
return this.router.push({ name: 'accessDenied', query: { reason: 'lowAssuranceLevel' } })
286+
}
272287
console.warn('error during authentication:', e)
273288
return this.handleAuthError(unref(this.router.currentRoute))
274289
}
@@ -329,6 +344,10 @@ export class AuthService implements AuthServiceInterface {
329344
this.hasAuthErrorOccurred = true
330345
}
331346

347+
private isLowAssuranceLevelError(e: unknown): boolean {
348+
return e instanceof ErrorResponse && e.error === 'low_assurance_level'
349+
}
350+
332351
public async resolvePublicLink(
333352
token: string,
334353
passwordRequired: boolean,

packages/web-runtime/src/services/auth/userManager.ts

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -187,7 +187,15 @@ export class UserManager extends OidcUserManager {
187187

188188
private async fetchUserInfo() {
189189
const graphClient = this.clientService.graphAuthenticated
190-
const [graphUser, roles] = await Promise.all([graphClient.users.getMe(), this.fetchRoles()])
190+
let graphUser: Awaited<ReturnType<typeof graphClient.users.getMe>>, roles: SettingsBundle[]
191+
try {
192+
;[graphUser, roles] = await Promise.all([graphClient.users.getMe(), this.fetchRoles()])
193+
} catch (e) {
194+
if (e?.response?.status === 409) {
195+
throw new ErrorResponse({ error: 'low_assurance_level' } as any)
196+
}
197+
throw e
198+
}
191199
const role = await this.fetchRole({ graphUser, roles })
192200

193201
this.userStore.setUser({
@@ -307,6 +315,9 @@ export class UserManager extends OidcUserManager {
307315
user.access_token = revaToken
308316
user.expires_at = claims.exp
309317
} catch (e) {
318+
if (e?.response?.status === 409) {
319+
throw new ErrorResponse({ ...signinResponse, error: 'low_assurance_level' })
320+
}
310321
console.error('Failed to get reva token, continue with sso one', e)
311322
}
312323
// end

0 commit comments

Comments
 (0)