Commit13f5c75

Emyrk

authored and

kylecarbs

committed

fix: Suspended users cannot authenticate (#1849)

* fix: Suspended users cannot authenticate- Merge roles and apikey extract httpmw- Add member account to make dev- feat: UI Shows suspended error logging into suspended account- change 'active' route to 'activate'

1 parent3dc2b9f commit13f5c75Copy full SHA for 13f5c75

File tree

17 files changed

+197

-56

lines changed

coderd
- coderd.go
- database
  - databasefake
    - databasefake.go
  - queries
    - users.sql
  - queries.sql.go
- httpmw
- users.go
- users_test.go
codersdk
- users.go
scripts
- develop.sh
site/src
- api
  - api.ts
- components
  - SignInForm
    - SignInForm.tsx
  - UsersTable
    - UsersTable.tsx
- pages/LoginPage
  - LoginPage.test.tsx
  - LoginPage.tsx
- xServices/auth
  - authXService.ts

17 files changed

+197

-56

lines changed

`‎coderd/coderd.go`

Lines changed: 2 additions & 13 deletions

Original file line number	Diff line number	Diff line change
`@@ -82,8 +82,6 @@ func New(options Options) API {`
`82`	`82`	`apiKeyMiddleware:=httpmw.ExtractAPIKey(options.Database,&httpmw.OAuth2Configs{`
`83`	`83`	`Github:options.GithubOAuth2Config,`
`84`	`84`	`})`
`85`		`-// TODO: @emyrk we should just move this into 'ExtractAPIKey'.`
`86`		`-authRolesMiddleware:=httpmw.ExtractUserRoles(options.Database)`
`87`	`85`
`88`	`86`	`r.Use(`
`89`	`87`	`func(next http.Handler) http.Handler {`
`@@ -125,7 +123,6 @@ func New(options Options) API {`
`125`	`123`	`r.Route("/files",func(r chi.Router) {`
`126`	`124`	`r.Use(`
`127`	`125`	`apiKeyMiddleware,`
`128`		`-authRolesMiddleware,`
`129`	`126`	`// This number is arbitrary, but reading/writing`
`130`	`127`	`// file content is expensive so it should be small.`
`131`	`128`	`httpmw.RateLimitPerMinute(12),`
`@@ -136,14 +133,12 @@ func New(options Options) API {`
`136`	`133`	`r.Route("/provisionerdaemons",func(r chi.Router) {`
`137`	`134`	`r.Use(`
`138`	`135`	`apiKeyMiddleware,`
`139`		`-authRolesMiddleware,`
`140`	`136`	`)`
`141`	`137`	`r.Get("/",api.provisionerDaemons)`
`142`	`138`	`})`
`143`	`139`	`r.Route("/organizations",func(r chi.Router) {`
`144`	`140`	`r.Use(`
`145`	`141`	`apiKeyMiddleware,`
`146`		`-authRolesMiddleware,`
`147`	`142`	`)`
`148`	`143`	`r.Post("/",api.postOrganizations)`
`149`	`144`	`r.Route("/{organization}",func(r chi.Router) {`
`@@ -179,7 +174,7 @@ func New(options Options) API {`
`179`	`174`	`})`
`180`	`175`	`})`
`181`	`176`	`r.Route("/parameters/{scope}/{id}",func(r chi.Router) {`
`182`		`-r.Use(apiKeyMiddleware,authRolesMiddleware)`
	`177`	`+r.Use(apiKeyMiddleware)`
`183`	`178`	`r.Post("/",api.postParameter)`
`184`	`179`	`r.Get("/",api.parameters)`
`185`	`180`	`r.Route("/{name}",func(r chi.Router) {`
`@@ -189,7 +184,6 @@ func New(options Options) API {`
`189`	`184`	`r.Route("/templates/{template}",func(r chi.Router) {`
`190`	`185`	`r.Use(`
`191`	`186`	`apiKeyMiddleware,`
`192`		`-authRolesMiddleware,`
`193`	`187`	`httpmw.ExtractTemplateParam(options.Database),`
`194`	`188`	`)`
`195`	`189`
`@@ -204,7 +198,6 @@ func New(options Options) API {`
`204`	`198`	`r.Route("/templateversions/{templateversion}",func(r chi.Router) {`
`205`	`199`	`r.Use(`
`206`	`200`	`apiKeyMiddleware,`
`207`		`-authRolesMiddleware,`
`208`	`201`	`httpmw.ExtractTemplateVersionParam(options.Database),`
`209`	`202`	`)`
`210`	`203`
`@@ -229,7 +222,6 @@ func New(options Options) API {`
`229`	`222`	`r.Group(func(r chi.Router) {`
`230`	`223`	`r.Use(`
`231`	`224`	`apiKeyMiddleware,`
`232`		`-authRolesMiddleware,`
`233`	`225`	`)`
`234`	`226`	`r.Post("/",api.postUser)`
`235`	`227`	`r.Get("/",api.users)`
`@@ -244,7 +236,7 @@ func New(options Options) API {`
`244`	`236`	`r.Put("/profile",api.putUserProfile)`
`245`	`237`	`r.Route("/status",func(r chi.Router) {`
`246`	`238`	`r.Put("/suspend",api.putUserStatus(database.UserStatusSuspended))`
`247`		`-r.Put("/active",api.putUserStatus(database.UserStatusActive))`
	`239`	`+r.Put("/activate",api.putUserStatus(database.UserStatusActive))`
`248`	`240`	`})`
`249`	`241`	`r.Route("/password",func(r chi.Router) {`
`250`	`242`	`r.Put("/",api.putUserPassword)`
`@@ -292,7 +284,6 @@ func New(options Options) API {`
`292`	`284`	`r.Route("/workspaceresources/{workspaceresource}",func(r chi.Router) {`
`293`	`285`	`r.Use(`
`294`	`286`	`apiKeyMiddleware,`
`295`		`-authRolesMiddleware,`
`296`	`287`	`httpmw.ExtractWorkspaceResourceParam(options.Database),`
`297`	`288`	`httpmw.ExtractWorkspaceParam(options.Database),`
`298`	`289`	`)`
`@@ -301,7 +292,6 @@ func New(options Options) API {`
`301`	`292`	`r.Route("/workspaces",func(r chi.Router) {`
`302`	`293`	`r.Use(`
`303`	`294`	`apiKeyMiddleware,`
`304`		`-authRolesMiddleware,`
`305`	`295`	`)`
`306`	`296`	`r.Get("/",api.workspaces)`
`307`	`297`	`r.Route("/{workspace}",func(r chi.Router) {`
`@@ -327,7 +317,6 @@ func New(options Options) API {`
`327`	`317`	`r.Route("/workspacebuilds/{workspacebuild}",func(r chi.Router) {`
`328`	`318`	`r.Use(`
`329`	`319`	`apiKeyMiddleware,`
`330`		`-authRolesMiddleware,`
`331`	`320`	`httpmw.ExtractWorkspaceBuildParam(options.Database),`
`332`	`321`	`httpmw.ExtractWorkspaceParam(options.Database),`
`333`	`322`	`)`

`‎coderd/database/databasefake/databasefake.go`

Lines changed: 6 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -231,11 +231,13 @@ func (q *fakeQuerier) GetUsers(_ context.Context, params database.GetUsersParams`
`231`	`231`	`users=tmp`
`232`	`232`	`}`
`233`	`233`
`234`		`-ifparams.Status!="" {`
	`234`	`+iflen(params.Status)>0 {`
`235`	`235`	`usersFilteredByStatus:=make([]database.User,0,len(users))`
`236`	`236`	`fori,user:=rangeusers {`
`237`		`-ifparams.Status==string(user.Status) {`
`238`		`-usersFilteredByStatus=append(usersFilteredByStatus,users[i])`
	`237`	`+for_,status:=rangeparams.Status {`
	`238`	`+ifuser.Status==status {`
	`239`	`+usersFilteredByStatus=append(usersFilteredByStatus,users[i])`
	`240`	`+}`
`239`	`241`	`}`
`240`	`242`	`}`
`241`	`243`	`users=usersFilteredByStatus`
`@@ -302,6 +304,7 @@ func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (data`
`302`	`304`	`return database.GetAllUserRolesRow{`
`303`	`305`	`ID:userID,`
`304`	`306`	`Username:user.Username,`
	`307`	`+Status:user.Status,`
`305`	`308`	`Roles:roles,`
`306`	`309`	`},nil`
`307`	`310`	`}`

`‎coderd/database/queries.sql.go`

Lines changed: 25 additions & 15 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/queries/users.sql`

Lines changed: 9 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -101,17 +101,19 @@ WHERE`
`101`	`101`	`WHEN @search ::text!='' THEN (`
`102`	`102`	`emailLIKE concat('%', @search,'%')`
`103`	`103`	`OR usernameLIKE concat('%', @search,'%')`
`104`		`-)`
	`104`	`+)`
`105`	`105`	`ELSE true`
`106`	`106`	`END`
`107`	`107`	`-- Filter by status`
`108`	`108`	`AND CASE`
`109`	`109`	`-- @status needs to be a text because it can be empty, If it was`
`110`	`110`	`-- user_status enum, it would not.`
`111`		`-WHEN @status ::text!='' THEN (`
`112`		`-status= @status :: user_status`
	`111`	`+WHENcardinality(@status ::user_status[])>0 THEN (`
	`112`	`+status=ANY(@status :: user_status[])`
`113`	`113`	`)`
`114`		`-ELSE true`
	`114`	`+ELSE`
	`115`	`+-- Only show active by default`
	`116`	`+ status='active'`
`115`	`117`	`END`
`116`	`118`	`-- End of filters`
`117`	`119`	`ORDER BY`
`@@ -135,7 +137,9 @@ WHERE`
`135`	`137`	`-- name: GetAllUserRoles :one`
`136`	`138`	`SELECT`
`137`	`139`	`-- username is returned just to help for logging purposes`
`138`		`-id, username, array_cat(users.rbac_roles,organization_members.roles) ::text[]AS roles`
	`140`	`+-- status is used to enforce 'suspended' users, as all roles are ignored`
	`141`	`+--when suspended.`
	`142`	`+id, username, status, array_cat(users.rbac_roles,organization_members.roles) ::text[]AS roles`
`139`	`143`	`FROM`
`140`	`144`	`users`
`141`	`145`	`LEFT JOIN organization_members`

`‎coderd/httpmw/apikey.go`

Lines changed: 21 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -175,7 +175,27 @@ func ExtractAPIKey(db database.Store, oauth *OAuth2Configs) func(http.Handler) h`
`175`	`175`	`}`
`176`	`176`	`}`
`177`	`177`
`178`		`-ctx:=context.WithValue(r.Context(),apiKeyContextKey{},key)`
	`178`	`+// If the key is valid, we also fetch the user roles and status.`
	`179`	`+// The roles are used for RBAC authorize checks, and the status`
	`180`	`+// is to block 'suspended' users from accessing the platform.`
	`181`	`+roles,err:=db.GetAllUserRoles(r.Context(),key.UserID)`
	`182`	`+iferr!=nil {`
	`183`	`+httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{`
	`184`	`+Message:"roles not found",`
	`185`	`+})`
	`186`	`+return`
	`187`	`+}`
	`188`	`+`
	`189`	`+ifroles.Status!=database.UserStatusActive {`
	`190`	`+httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{`
	`191`	`+Message:fmt.Sprintf("user is not active (status = %q), contact an admin to reactivate your account",roles.Status),`
	`192`	`+})`
	`193`	`+return`
	`194`	`+}`
	`195`	`+`
	`196`	`+ctx:=r.Context()`
	`197`	`+ctx=context.WithValue(ctx,apiKeyContextKey{},key)`
	`198`	`+ctx=context.WithValue(ctx,userRolesKey{},roles)`
`179`	`199`	`next.ServeHTTP(rw,r.WithContext(ctx))`
`180`	`200`	`})`
`181`	`201`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit13f5c75

File tree

17 files changed

17 files changed

`‎coderd/coderd.go`

`‎coderd/database/databasefake/databasefake.go`

`‎coderd/database/queries.sql.go`

`‎coderd/database/queries/users.sql`

`‎coderd/httpmw/apikey.go`

0 commit comments