Skip to content

Commit ff34fcc

Browse files
author
Claude AI
committed
fix: conceal sensitive domain information in auth error messages
Remove exposure of allowed domain list in OIDC authentication error messages to enhance security. Third-party contractors no longer see internal domain lists when accessing Coder with unauthorized email addresses.
1 parent 7d4b3c8 commit ff34fcc

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

coderd/userauth.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1358,7 +1358,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
13581358
emailSp := strings.Split(email, "@")
13591359
if len(emailSp) == 1 {
13601360
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
1361-
Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain),
1361+
Message: fmt.Sprintf("Your email %q is not from an authorized domain! Please contact your administrator.", email),
13621362
})
13631363
return
13641364
}
@@ -1373,7 +1373,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
13731373
}
13741374
if !ok {
13751375
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
1376-
Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain),
1376+
Message: fmt.Sprintf("Your email %q is not from an authorized domain! Please contact your administrator.", email),
13771377
})
13781378
return
13791379
}

0 commit comments

Comments
 (0)