Merge pull request mesosphere#35 from mesosphere/jr/fix-invalid-cooki…

…e-issue fix: perform auth redirect on all cookie validation errors
tgerakitis · Jun 25, 2020 · 3e75f73 · 3e75f73
2 parents e0a1ddf + 4933b31
commit 3e75f73
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 8 deletions.
diff --git a/internal/server.go b/internal/server.go
@@ -123,13 +123,8 @@ func (s *Server) AuthHandler(rule string) http.HandlerFunc {
 		// Validate cookie
 		email, err := ValidateCookie(r, c)
 		if err != nil {
-			if err.Error() == "cookie has expired" {
-				logger.Info("cookie has expired")
-				s.notAuthenticated(logger, w, r)
-			} else {
-				logger.Errorf("Invalid cookie: %v", err)
-				http.Error(w, "Not authorized", 401)
-			}
+			logger.Info(fmt.Sprintf("cookie validaton failure: %s", err.Error()))
+			s.notAuthenticated(logger, w, r)
 			return
 		}
 

diff --git a/internal/server_test.go b/internal/server_test.go
@@ -2,6 +2,7 @@ package tfa
 
 import (
 	"fmt"
+	"github.com/coreos/go-oidc"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
@@ -72,8 +73,9 @@ func TestServerAuthHandlerInvalid(t *testing.T) {
 	c.Value = fmt.Sprintf("bad|%s|%s", parts[1], parts[2])
 
 	config.AuthHost = ""
+	config.OIDCProvider = &oidc.Provider{}
 	res, _ = doHttpRequest(req, c)
-	assert.Equal(401, res.StatusCode, "invalid cookie should not be authorised")
+	assert.Equal(302, res.StatusCode, "invalid cookie should redirect")
 
 	// Should validate email
 	req = newDefaultHttpRequest("/foo")