fix: return 404 instead of 401 for missing OAuth2 apps #18755
Conversation
7fac49d to
932c04f
Compare
This prevents users from being logged out when deleting OAuth2 apps. The frontend interceptor triggers logout on 401 responses, but React Query refetches deleted apps and should get 404, not 401. Also adds conditional OAuth2 navigation when experiment is enabled. Change-Id: I48886144883539b7c51307f2a500f95be31dd383 Signed-off-by: Thomas Kosiewski <[email protected]>
932c04f to
eb425dd
Compare
| _CANONICALIZE_CMD="python3" | ||
| elif command -v python >/dev/null 2>&1; then | ||
| _CANONICALIZE_CMD="python" | ||
| elif command -v perl >/dev/null 2>&1; then | ||
| _CANONICALIZE_CMD="perl" |
There was a problem hiding this comment.
Why do we need to run python or perl interpreters at all here?
There was a problem hiding this comment.
Those are fallbacks in case realpath or readlink are not available.
While working with CC hooks, I noticed that their file paths are wonky. Sometimes, they are relative, and sometimes, they are absolute, often a misformulation of both.
So this is just in case someone develops coder on an env that doesn’t have realpath or readlink.
There was a problem hiding this comment.
So this is just in case someone develops coder on an env that doesn’t have realpath or readlink.
Can you give an example? I see these available in Nix and they're also available on darwin via Brew / coreutils.
There was a problem hiding this comment.
Unless we don't care about Windows development, then I'm happy to zap this
There was a problem hiding this comment.
Actually, this is a CC hook, and CC only works on Linux/macOS.
I'll yeet the fallbacks later.
There was a problem hiding this comment.
Instead of deviating further from the OAuth2 spec, what do you think about instead modifying the interceptor to ignore this as a special case?
If the user's token has indeed expired, there will almost certainly be another 401 to trigger this logic and sign the user out.
| @@ -141,6 +141,7 @@ export const EditOAuth2AppPageView: FC<EditOAuth2AppProps> = ({ | |||
| confirmLoading={mutatingResource.deleteApp} | |||
| name={app.name} | |||
| entity="OAuth2 application" | |||
| info="⚠️ Warning: Deleting this OAuth2 application will immediately invalidate all active sessions and API keys associated with it. Users currently authenticated through this application will be logged out and need to re-authenticate." | |||
There was a problem hiding this comment.
Since this message is displayed inside of a DeleteDialog, which already has a style to warn users, we don't need to prefix it with "
| @@ -554,6 +558,7 @@ describe("WorkspacePage", () => { | |||
| appearance: MockAppearanceConfig, | |||
| entitlements: MockEntitlements, | |||
| experiments: [], | |||
| buildInfo: { version: "v0.0.0-test" } as BuildInfoResponse, | |||
There was a problem hiding this comment.
Nit: You can use a more complete build info object, from our existent mocks, to avoid casting partial values using as. The advantage on that, IMHO, is to have a more reliable value. Time to time, I face some bugs in tests because the value types are correct, but the value is missing some properties.
To "fix" that you could do:
import { MockBuildInfo } from "testHelpers/entities"
return <DashboardContext.Provider
value={{
buildInfo: {
..MockBuildInfo,
version: "v0.0.0-test"
}
}}
/>| @@ -56,6 +56,7 @@ export const withDashboardProvider = ( | |||
| entitlements, | |||
| experiments, | |||
| appearance: MockAppearanceConfig, | |||
| buildInfo: { version: "v0.0.0-test" } as BuildInfoResponse, | |||
There was a problem hiding this comment.
Same as before. However, If having the version as v0.0.0-test is what we want to use by default, you could just use the MockBuildInfo directly, and update the value prop to use the new value.
We're not deviating from the RFC here. These changes do not address the revocation endpoint (which will be part of a future PR), but a custom endpoint to delete OAuth2 apps in coder. Thus we're not constrained and free to return the codes we want or need. |
Sorry, misread the scope. That sounds fine then. |
Problem
Users were being automatically logged out when deleting OAuth2 applications.
Root Cause
signOut()Solution
writeInvalidClienttowriteClientNotFoundfor clarityAdditional Changes
isDevBuild()utility andbuildInfoto dashboard context