Fix Unauthorised redirect (#349)

Azure · Jan 23, 2020 · 17ef1e7 · 17ef1e7
1 parent df83e41
commit 17ef1e7
Show file tree

Hide file tree

Showing 7 changed files with 62 additions and 19 deletions.
diff --git a/src/dotnet/APIView/APIViewWeb/Account/ConfigureOrganizationPolicy.cs b/src/dotnet/APIView/APIViewWeb/Account/ConfigureOrganizationPolicy.cs
@@ -17,7 +17,7 @@ public ConfigureOrganizationPolicy(IOptions<OrganizationOptions> options)
 
         public void Configure(AuthorizationOptions options)
         {
-            options.AddPolicy("RequireOrganization", policy =>
+            options.AddPolicy(Startup.RequireOrganizationPolicy, policy =>
             {
                 policy.AddRequirements(new OrganizationRequirement(_options.Value.RequiredOrganization));
             });

diff --git a/src/dotnet/APIView/APIViewWeb/Controllers/AccountController.cs b/src/dotnet/APIView/APIViewWeb/Controllers/AccountController.cs
@@ -23,7 +23,7 @@ public async Task<IActionResult> Login(string returnUrl = "/")
         public async Task<IActionResult> Logout()
         {
             await HttpContext.SignOutAsync();
-            return RedirectToPage("/Unauthorized");
+            return RedirectToPage("/Login");
         }
     }
 }
diff --git a/src/dotnet/APIView/APIViewWeb/Pages/Login.cshtml b/src/dotnet/APIView/APIViewWeb/Pages/Login.cshtml
@@ -0,0 +1,13 @@
+@page
+@model LoginModel
+@attribute [Microsoft.AspNetCore.Authorization.AllowAnonymous]
+@{
+    ViewData["Title"] = "Login";
+}
+
+<p>Please login using your GitHub account</p>
+
+<a class="login-button btn btn-outline-dark" asp-action="Login" asp-controller="Account" asp-route-returnUrl="@Model.ReturnUrl">
+    <img height="30" width="30" src="https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png" />
+    Login with GitHub
+</a>
diff --git a/src/dotnet/APIView/APIViewWeb/Pages/Login.cshtml.cs b/src/dotnet/APIView/APIViewWeb/Pages/Login.cshtml.cs
@@ -0,0 +1,20 @@
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace APIViewWeb.Pages
+{
+    public class LoginModel : PageModel
+    {
+        [BindProperty(SupportsGet = true, Name = "returnurl")]
+        public string ReturnUrl { get; set; } = "/";
+
+        public IActionResult OnGetAsync()
+        {
+            if (User.Identity.IsAuthenticated)
+                return Redirect(ReturnUrl);
+
+            return Page();
+        }
+    }
+}
diff --git a/src/dotnet/APIView/APIViewWeb/Pages/Unauthorized.cshtml b/src/dotnet/APIView/APIViewWeb/Pages/Unauthorized.cshtml
@@ -1,20 +1,20 @@
 @page
 @model APIViewWeb.Pages.UnauthorizedModel
-@attribute [Microsoft.AspNetCore.Authorization.AllowAnonymous]
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
 @{
     ViewData["Title"] = "Unauthorized";
     var names = string.Join(" or ", Model.Options.RequiredOrganization);
 }
 
-<p>You're currently not logged into a GitHub account or your GitHub account is not publicly affiliated with @names organizations.</p>
+<p>Your GitHub account is not publicly affiliated with @names organizations.</p>
 <p>
     In order to use the site, please sign into another account - or,
-    request to join one of the following organizations:
+    ensure <b>public</b> membership in one of the following organizations:
     <ul>
         @foreach (var organization in Model.Options.RequiredOrganization)
         {
             <li>
-                <a href="https://github.com/@organization">@organization</a>
+                <a href="https://github.com/orgs/@organization/people?utf8=✓&query=@(User.GetGitHubLogin())#org-members-table">@organization</a>
             </li>
         }
     </ul>
@@ -26,5 +26,5 @@
 
 <a class="login-button btn btn-outline-dark" asp-action="Login" asp-controller="Account" asp-route-returnUrl="@Model.ReturnUrl">
     <img height="30" width="30" src="https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png" />
-    Login with GitHub
+    Refresh GitHub login
 </a>
diff --git a/src/dotnet/APIView/APIViewWeb/Pages/Unauthorized.cshtml.cs b/src/dotnet/APIView/APIViewWeb/Pages/Unauthorized.cshtml.cs
@@ -1,4 +1,5 @@
-using Microsoft.AspNetCore.Authorization;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.Extensions.Options;
@@ -7,23 +8,26 @@ namespace APIViewWeb.Pages
 {
     public class UnauthorizedModel : PageModel
     {
+        private readonly IAuthorizationService _authorizationService;
         public OrganizationOptions Options { get; }
 
-        [BindProperty(SupportsGet = true)]
-        public string ReturnUrl { get; private set; }
+        [BindProperty(SupportsGet = true, Name = "returnurl")]
+        public string ReturnUrl { get; set; } = "/";
 
-        public UnauthorizedModel(IOptions<OrganizationOptions> options)
+        public UnauthorizedModel(IOptions<OrganizationOptions> options, IAuthorizationService authorizationService)
         {
+            _authorizationService = authorizationService;
             Options = options.Value;
         }
 
-        public IActionResult OnGet()
+        public async Task<IActionResult> OnGetAsync()
         {
-            if (User.Identity.IsAuthenticated)
-            {
-                return RedirectToPage("./Assemblies/Index");
-            }
-            ReturnUrl = Request.Query["returnurl"];
+            var authorizationResult =
+                await _authorizationService.AuthorizeAsync(User, null, Startup.RequireOrganizationPolicy);
+
+            if (authorizationResult.Succeeded)
+                return Redirect(ReturnUrl);
+
             return Page();
         }
     }

diff --git a/src/dotnet/APIView/APIViewWeb/Startup.cs b/src/dotnet/APIView/APIViewWeb/Startup.cs
@@ -26,6 +26,8 @@ namespace APIViewWeb
 {
     public class Startup
     {
+        public static string RequireOrganizationPolicy = "RequireOrganization";
+
         public static string VersionHash { get; set; }
 
         static Startup()
@@ -64,7 +66,7 @@ public void ConfigureServices(IServiceCollection services)
 
             services.AddRazorPages(options =>
             {
-                options.Conventions.AuthorizeFolder("/Assemblies", "RequireOrganization");
+                options.Conventions.AuthorizeFolder("/Assemblies", RequireOrganizationPolicy);
                 options.Conventions.AddPageRoute("/Assemblies/Index", "");
             });
 
@@ -87,7 +89,11 @@ public void ConfigureServices(IServiceCollection services)
                     options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                     options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                 })
-                .AddCookie(options => options.LoginPath = options.AccessDeniedPath = "/Unauthorized")
+                .AddCookie(options =>
+                {
+                    options.LoginPath = "/Login";
+                    options.AccessDeniedPath = "/Unauthorized";
+                })
                 .AddOAuth("GitHub", options =>
                 {
                     options.ClientId = Configuration["Github:ClientId"];