Allow users to sign out when there is only one oauth provider configured by miveronese · Pull Request #44803 · sourcegraph/sourcegraph-public-snapshot

miveronese · 2022-11-25T00:18:40Z

Issue: #31192

This PR fixes a signout bug that happens when there's only one auth provider configured.

Bug:

if a user had only one auth provider and clicked the SignOut link, the user was immediately signed back (sso login)
it was reported that this behavior caused issues in the past
this flow also created an annoying experience for the user, especially if they want to log in with a different account.

With this PR:

if a user has only one auth provider and clicks the SignOut link, they will be redirected to the Sourcegraph login page.
The session expiration behavior for only one auth provider was preserved. If the session expires, the user will still be signed back immediately.

Test plan

Added + updated unit tests.
Manually tested the new behavior in a local instance.

Before vs after demos:

Before: Signout flow + Session Expiration for 1 auth provider
https://user-images.githubusercontent.com/1552863/203876630-55ed1efd-3cf9-40c7-972a-91978221bff1.mp4
Now: Signout flow + Session Expiration for 1 auth provider
https://user-images.githubusercontent.com/1552863/203876673-912df8de-8424-4935-8239-03aac77dbde7.mp4

… the sso login or not

sourcegraph-bot · 2022-11-25T00:20:26Z

Codenotify: Notifying subscribers in CODENOTIFY files for diff ca2c501...830a72f.

Notify	File(s)
@unknwon	enterprise/cmd/frontend/internal/auth/githuboauth/middleware_test.go enterprise/cmd/frontend/internal/auth/gitlaboauth/middleware_test.go enterprise/cmd/frontend/internal/auth/oauth/middleware.go enterprise/cmd/frontend/internal/auth/openidconnect/middleware.go enterprise/cmd/frontend/internal/auth/openidconnect/middleware_test.go enterprise/cmd/frontend/internal/auth/saml/middleware.go enterprise/cmd/frontend/internal/auth/saml/middleware_test.go

miveronese · 2022-11-25T17:34:05Z

@mrnugget , thanks for the review! I've addressed your suggestions, so it's ready for another look!

pjlast · 2022-11-28T08:39:33Z

-		if got, want := resp.Header.Get("Location"), "/.auth/github/login?"; !strings.Contains(got, want) {
-			t.Errorf("got redirect URL %v, want contains %v", got, want)
-		}
-		redirectURL, err := url.Parse(resp.Header.Get("Location"))
-		if err != nil {
-			t.Fatal(err)
-		}
-		if got, want := redirectURL.Query().Get("redirect"), "/page"; got != want {
-			t.Errorf("got return-to URL %v, want %v", got, want)
-		}


Why did these redirect checks get removed?

The redirects were there to cover the previous flow where:

user clicks signout

user is redirected to the sso signin flow (a 302 was expected)

now, the behavior is different:

user clicks signout

there's a get request to the SG sign in page (a 200 is expected) instead of a redirect to the sso flow as before

But that's not the flow that this test tests. Reading the test it says:

User is not signed in

User tries to navigate to "http://example.com/page" sub-page

User gets redirected to GitHub OAuth sign-in flow

This is still valid and desired behaviour. Similar goes for the test above it.

yes, you are correct!! thank you!!!

pjlast

miveronese · 2022-11-29T16:23:26Z

I was waiting until the build finish to ping you, @pjlast , but you were faster :D
Thanks for insisting on the test changes 🙏

unknwon

Nice!

unknwon · 2022-12-02T08:40:47Z

+
+func RemoveSignOutCookieIfSet(r *http.Request, w http.ResponseWriter) {
+	if HasSignOutCookie(r) {
+		http.SetCookie(w, &http.Cookie{Name: SignoutCookie, Value: "", MaxAge: -1})


FYI: It is always safe to clear a cookie regardless of its existence, browser handles it. The opposite version of "upsert".

miveronese added 9 commits November 22, 2022 16:22

Allow user to sign out when there is only one oauth provider

0a6057d

Fix tests for gitlab, github and openid cases

9fb5d5a

Fix tests

eddcea4

Check session cookie to determine if the user should be redirected to…

056e5fd

… the sso login or not

Lint

cf885ab

Rename method

30adb79

Make sure the signout cookie is removed

1322444

Add more tests

53a1ba0

Fix test for subpage visit when user is not authenticated

253681a

cla-bot Bot added the cla-signed label Nov 25, 2022

github-actions Bot added the team/iam label Nov 25, 2022

Typos, wording, small fixes

cf5a573

miveronese requested a review from a team November 25, 2022 00:39

mrnugget suggested changes Nov 25, 2022

View reviewed changes

miveronese added 3 commits November 25, 2022 14:21

Address PR review suggestions

4860e11

Move cookie logic to the the auth package

1e4830c

Undo line removed by mistake

4a3b54c

miveronese requested review from a team and mrnugget November 25, 2022 17:34

mrnugget approved these changes Nov 28, 2022

View reviewed changes

Comment thread cmd/frontend/auth/sign_out_cookie.go

Comment thread cmd/frontend/internal/app/sign_out.go Outdated

Comment thread enterprise/cmd/frontend/internal/auth/oauth/middleware.go Outdated

Comment thread enterprise/cmd/frontend/internal/auth/saml/middleware.go Outdated

pjlast reviewed Nov 28, 2022

View reviewed changes

miveronese added 6 commits November 28, 2022 14:13

Create unset function and call it when we check/set the actor

f309d32

Remove debug message

8ed7017

Move function to the auth package

da1ef7b

Undo use of pointer

7e59bc6

Remove comments that aren't necessary anymore

8206418

Remove extra line

6a87fd9

miveronese requested a review from pjlast November 28, 2022 20:18

Re-add redirects to tests

830a72f

pjlast approved these changes Nov 29, 2022

View reviewed changes

miveronese merged commit dcfb092 into main Nov 29, 2022

miveronese deleted the mv/bugfix-signout branch November 29, 2022 16:25

miveronese mentioned this pull request Nov 29, 2022

Can't Signout -- OAuth as only Auth #31192

Closed

unknwon reviewed Dec 2, 2022

View reviewed changes

Conversation

miveronese commented Nov 25, 2022

Test plan

Uh oh!

sourcegraph-bot commented Nov 25, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

miveronese commented Nov 25, 2022

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

pjlast Nov 28, 2022

Choose a reason for hiding this comment

Uh oh!

miveronese Nov 28, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

pjlast Nov 29, 2022

Choose a reason for hiding this comment

Uh oh!

miveronese Nov 29, 2022

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

pjlast left a comment

Choose a reason for hiding this comment

Uh oh!

miveronese commented Nov 29, 2022

Uh oh!

unknwon left a comment

Choose a reason for hiding this comment

Uh oh!

unknwon Dec 2, 2022

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

sourcegraph-bot commented Nov 25, 2022 •

edited

Loading

miveronese Nov 28, 2022 •

edited

Loading