Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve access-denied checks #1266

Merged
merged 3 commits into from
Apr 15, 2022
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion src/auth/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ if (typeof window.SharedWorker !== 'undefined') {
}

if (TokenWorker?.port) {
TokenWorker.port.onmessage = e => {
TokenWorker.port.onmessage = async e => {
const type = e.data?.type
const payload = e.data?.payload

Expand Down Expand Up @@ -61,6 +61,14 @@ if (TokenWorker?.port) {
}
}
break
case 'accessDenied':
await authClient.signOut({
clientId: process.env.VUE_APP_PUBLIC_CLIENT_ID,
idToken: payload,
postLogoutRedirectUri:
window.location.origin + '/access-denied?reason=invalid_sso'
})
break
case 'console':
// This should only be used for debugging
// eslint-disable-next-line no-console
Expand Down
68 changes: 44 additions & 24 deletions src/pages/AccessDenied.vue
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ export default {
origin: window.location.origin
}
},
computed: {
invalidSSOMethod() {
return this.$route.query?.reason == 'invalid_sso'
}
},
methods: {
...mapActions('auth', ['login']),
async logOut() {
Expand All @@ -28,32 +33,47 @@ export default {
>
<div class="text py-16 px-8 rounded">
<h1>Oops!</h1>
<p>
It looks like you don't have access to this application. If you believe
this is an error, contact us at [email protected]
</p>

<v-btn
v-if="origin !== 'cloud.prefect.io'"
color="white"
class="primary--text"
depressed
href="https://cloud.prefect.io"
>
<v-icon class="mr-4">cloud</v-icon>
Take me to Prefect Cloud
</v-btn>
<div v-if="invalidSSOMethod">
<p>
It looks like you're attempting to sign in with a method unsupported
by your organization.
</p>

<v-btn color="white" class="primary--text" depressed @click="logOut">
<v-icon>arrow_back_ios</v-icon>
Back to sign in
</v-btn>
</div>

<div v-else>
<p>
It looks like you don't have access to this application. If you
believe this is an error, contact us at [email protected]
</p>

<v-btn
v-if="origin !== 'cloud.prefect.io'"
color="white"
class="primary--text"
depressed
href="https://cloud.prefect.io"
>
<v-icon class="mr-4">cloud</v-icon>
Take me to Prefect Cloud
</v-btn>

<v-btn
v-else
color="white"
class="primary--text"
depressed
@click="logOut"
>
<v-icon>arrow_back_ios</v-icon>
Sign out
</v-btn>
<v-btn
v-else
color="white"
class="primary--text"
depressed
@click="logOut"
>
<v-icon>arrow_back_ios</v-icon>
Sign out
</v-btn>
</div>
</div>
</div>
</template>
Expand Down
9 changes: 7 additions & 2 deletions src/workers/auth.worker.js
Original file line number Diff line number Diff line change
Expand Up @@ -154,11 +154,16 @@ const handleAuthorize = async idToken => {
authorizing = true
if (
!state.authorizationToken ||
new Date(state.authorizationToken.expires_at) <= Date.now()
(state.authorizationToken &&
new Date(state.authorizationToken.expires_at) <= Date.now())
) {
const authorizationResponse = await authorize(idToken)

setAuthorizationToken(authorizationResponse)
if (authorizationResponse && authorizationResponse.access_token) {
setAuthorizationToken(authorizationResponse)
} else {
postToConnections({ type: 'accessDenied', payload: state.idToken })
}
}

postToChannelPorts({ payload: state.authorizationToken })
Expand Down