Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Catch the error before the response is processed by goth (#20000) #20102

Merged
merged 1 commit into from
Jun 24, 2022
Merged

Catch the error before the response is processed by goth (#20000) #20102

merged 1 commit into from
Jun 24, 2022

Conversation

SteveTheEngineer
Copy link

@SteveTheEngineer SteveTheEngineer commented Jun 23, 2022
edited by zeripath
Loading

Backport #20000

The code introduced by #18185 gets the error from response after it was processed by goth.

That is incorrect, as goth (and golang.org/x/oauth) doesn't really care about the error, and it sends a token request with an empty authorization code to the server anyway, which always results in a oauth2: cannot fetch token: 400 Bad Request error from goth.
It means that unless the "state" parameter is omitted from the error response (which is required to be present, according to RFC 6749, Section 4.1.2.1) or the page is reloaded (makes the session invalid), a 500 Internal Server Error page will be displayed.
This fixes it by handling the error before the request is passed to goth.

@SteveTheEngineer
Catch the error before the response is processed by goth. (#20000)
c9dc06d 
The code introduced by #18185 gets the error from response after it was processed by goth.

That is incorrect, as goth (and golang.org/x/oauth) doesn't really care about the error, and it sends a token request with an empty authorization code to the server anyway, which always results in a `oauth2: cannot fetch token: 400 Bad Request` error from goth.
It means that unless the "state" parameter is omitted from the error response (which is required to be present, according to [RFC 6749, Section 4.1.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1)) or the page is reloaded (makes the session invalid), a 500 Internal Server Error page will be displayed.
This fixes it by handling the error before the request is passed to goth.
@lunny lunny added this to the 1.17.0 milestone Jun 23, 2022
@lunny lunny added the type/bug label Jun 23, 2022
@zeripath zeripath changed the title Backport "Catch the error before the response is processed by goth. (#20000)" to release/1.17. Catch the error before the response is processed by goth. (#20000) Jun 23, 2022
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Jun 23, 2022
@zeripath zeripath changed the title Catch the error before the response is processed by goth. (#20000) Catch the error before the response is processed by goth (#20000) Jun 23, 2022
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jun 24, 2022
@lunny lunny merged commit 764e75d into go-gitea:release/v1.17 Jun 24, 2022
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@zeripath zeripath zeripath approved these changes

@lunny lunny lunny approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Milestone
1.17.0
Development

Successfully merging this pull request may close these issues.
4 participants
@SteveTheEngineer @lunny @zeripath @GiteaBot