From 091fdd676164ceee8526352ff40f3d9d415c1ae2 Mon Sep 17 00:00:00 2001
From: Kira Pilot <kira@coder.com>
Date: Thu, 7 Dec 2023 09:19:31 -0500
Subject: [PATCH] fix: redirect unauthorized git users to login screen (#10995)

* fix: redirect to login screen if unauthorized git user

* consolidated language

* fix redirect
---
 coderd/httpmw/apikey.go                           | 15 +++++++++++++++
 coderd/userauth.go                                | 10 +++-------
 site/src/pages/LoginPage/LoginPageView.tsx        |  4 ++--
 site/src/pages/LoginPage/SignInForm.tsx           | 10 +++++-----
 .../SecurityPage/SingleSignOnSection.tsx          |  2 +-
 5 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
index b6942a6310..dfffe9cf09 100644
--- a/coderd/httpmw/apikey.go
+++ b/coderd/httpmw/apikey.go
@@ -538,3 +538,18 @@ func RedirectToLogin(rw http.ResponseWriter, r *http.Request, dashboardURL *url.
 	// (like temporary redirect does).
 	http.Redirect(rw, r, u.String(), http.StatusSeeOther)
 }
+
+// CustomRedirectToLogin redirects the user to the login page with the `message` and
+// `redirect` query parameters set, with a provided code
+func CustomRedirectToLogin(rw http.ResponseWriter, r *http.Request, redirect string, message string, code int) {
+	q := url.Values{}
+	q.Add("message", message)
+	q.Add("redirect", redirect)
+
+	u := &url.URL{
+		Path:     "/login",
+		RawQuery: q.Encode(),
+	}
+
+	http.Redirect(rw, r, u.String(), code)
+}
diff --git a/coderd/userauth.go b/coderd/userauth.go
index 10398e0233..b4c16ebdba 100644
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@@ -510,6 +510,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 
 	var selectedMemberships []*github.Membership
 	var organizationNames []string
+	redirect := state.Redirect
 	if !api.GithubOAuth2Config.AllowEveryone {
 		memberships, err := api.GithubOAuth2Config.ListOrganizationMemberships(ctx, oauthClient)
 		if err != nil {
@@ -535,9 +536,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 			}
 		}
 		if len(selectedMemberships) == 0 {
-			httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
-				Message: "You aren't a member of the authorized Github organizations!",
-			})
+			httpmw.CustomRedirectToLogin(rw, r, redirect, "You aren't a member of the authorized Github organizations!", http.StatusUnauthorized)
 			return
 		}
 	}
@@ -574,9 +573,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 			}
 		}
 		if allowedTeam == nil {
-			httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
-				Message: fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames),
-			})
+			httpmw.CustomRedirectToLogin(rw, r, redirect, fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames), http.StatusUnauthorized)
 			return
 		}
 	}
@@ -658,7 +655,6 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 		http.SetCookie(rw, cookie)
 	}
 
-	redirect := state.Redirect
 	if redirect == "" {
 		redirect = "/"
 	}
diff --git a/site/src/pages/LoginPage/LoginPageView.tsx b/site/src/pages/LoginPage/LoginPageView.tsx
index 4b7f310dde..f9bbf5fe25 100644
--- a/site/src/pages/LoginPage/LoginPageView.tsx
+++ b/site/src/pages/LoginPage/LoginPageView.tsx
@@ -24,7 +24,7 @@ export const LoginPageView: FC<LoginPageViewProps> = ({
   const redirectTo = retrieveRedirect(location.search);
   // This allows messages to be displayed at the top of the sign in form.
   // Helpful for any redirects that want to inform the user of something.
-  const info = new URLSearchParams(location.search).get("info") || undefined;
+  const message = new URLSearchParams(location.search).get("message");
   const applicationName = getApplicationName();
   const logoURL = getLogoURL();
   const applicationLogo = logoURL ? (
@@ -52,7 +52,7 @@ export const LoginPageView: FC<LoginPageViewProps> = ({
           redirectTo={redirectTo}
           isSigningIn={isSigningIn}
           error={error}
-          info={info}
+          message={message}
           onSubmit={onSignIn}
         />
         <footer css={styles.footer}>
diff --git a/site/src/pages/LoginPage/SignInForm.tsx b/site/src/pages/LoginPage/SignInForm.tsx
index fe48fd397c..566e011d7d 100644
--- a/site/src/pages/LoginPage/SignInForm.tsx
+++ b/site/src/pages/LoginPage/SignInForm.tsx
@@ -1,5 +1,5 @@
 import { type Interpolation, type Theme } from "@emotion/react";
-import { type FC } from "react";
+import { ReactNode, type FC } from "react";
 import type { AuthMethods } from "api/typesGenerated";
 import { PasswordSignInForm } from "./PasswordSignInForm";
 import { OAuthSignInForm } from "./OAuthSignInForm";
@@ -63,7 +63,7 @@ export interface SignInFormProps {
   isSigningIn: boolean;
   redirectTo: string;
   error?: unknown;
-  info?: string;
+  message?: ReactNode;
   authMethods?: AuthMethods;
   onSubmit: (credentials: { email: string; password: string }) => void;
 }
@@ -73,7 +73,7 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
   redirectTo,
   isSigningIn,
   error,
-  info,
+  message,
   onSubmit,
 }) => {
   const oAuthEnabled = Boolean(
@@ -91,9 +91,9 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
         </div>
       )}
 
-      {Boolean(info) && Boolean(error) && (
+      {message && (
         <div css={styles.alert}>
-          <Alert severity="info">{info}</Alert>
+          <Alert severity="info">{message}</Alert>
         </div>
       )}
 
diff --git a/site/src/pages/UserSettingsPage/SecurityPage/SingleSignOnSection.tsx b/site/src/pages/UserSettingsPage/SecurityPage/SingleSignOnSection.tsx
index 87f8f61ba3..635d2d0d9c 100644
--- a/site/src/pages/UserSettingsPage/SecurityPage/SingleSignOnSection.tsx
+++ b/site/src/pages/UserSettingsPage/SecurityPage/SingleSignOnSection.tsx
@@ -62,7 +62,7 @@ export const useSingleSignOnSection = () => {
         // The redirect on success should be back to the login page with a nice message.
         // The user should be logged out if this worked.
         encodeURIComponent(
-          `/login?info=Login type has been changed to ${loginTypeMsg}. Log in again using the new method.`,
+          `/login?message=Login type has been changed to ${loginTypeMsg}. Log in again using the new method.`,
         ),
       );
     },