Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

fix: return 404 instead of 401 for missing OAuth2 apps#18755

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
ThomasK33 merged 1 commit intomainfromfix/oauth2-app-deletion-logout
Jul 7, 2025

Conversation

ThomasK33
Copy link
Member

Problem

Users were being automatically logged out when deleting OAuth2 applications.

Root Cause

  1. User deletes OAuth2 app successfully
  2. React Query automatically refetches the app data
  3. Management API incorrectly returned401 Unauthorized for the missing app
  4. Frontend axios interceptor sees 401 and callssignOut()
  5. User gets logged out unexpectedly

Solution

  • Change management API to return404 Not Found for missing OAuth2 apps
  • OAuth2 protocol endpoints continue returning 401 per RFC 6749
  • RenamewriteInvalidClient towriteClientNotFound for clarity

Additional Changes

  • Add conditional OAuth2 navigation when experiment is enabled or in dev builds
  • AddisDevBuild() utility andbuildInfo to dashboard context
  • Minor improvements to format script and warning dialogs

@ThomasK33ThomasK33force-pushed thefix/oauth2-app-deletion-logout branch 2 times, most recently from932c04f toeb425ddCompareJuly 4, 2025 13:52
@ThomasK33ThomasK33 requested a review fromjohnstcnJuly 7, 2025 12:14
Copy link
Member

@johnstcnjohnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Instead of deviating further from the OAuth2 spec, what do you think about instead modifying the interceptor to ignore this as a special case?

If the user's token has indeed expired, there will almost certainly be another 401 to trigger this logic and sign the user out.

Copy link
Collaborator

@BrunoQuaresmaBrunoQuaresma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I left a few comments related to the FE code, but I don't think they are blockers. 👍

@ThomasK33Graphite App
Copy link
MemberAuthor

Instead of deviating further from the OAuth2 spec, what do you think about instead modifying the interceptor to ignore this as a special case?

If the user's token has indeed expired, there will almost certainly be another 401 to trigger this logic and sign the user out.

We're not deviating from the RFC here.

These changes do not address the revocation endpoint (which will be part of a future PR), but a custom endpoint to delete OAuth2 apps in coder. Thus we're not constrained and free to return the codes we want or need.

@johnstcn
Copy link
Member

We're not deviating from the RFC here.

These changes do not address the revocation endpoint (which will be part of a future PR), but a custom endpoint to delete OAuth2 apps in coder. Thus we're not constrained and free to return the codes we want or need.

Sorry, misread the scope. That sounds fine then.

This prevents users from being logged out when deleting OAuth2 apps.The frontend interceptor triggers logout on 401 responses, but React Queryrefetches deleted apps and should get 404, not 401.Also adds conditional OAuth2 navigation when experiment is enabled.Change-Id: I48886144883539b7c51307f2a500f95be31dd383Signed-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33ThomasK33force-pushed thefix/oauth2-app-deletion-logout branch fromeb425dd to9997b55CompareJuly 7, 2025 17:42
@ThomasK33ThomasK33 merged commit3dcd2ac intomainJul 7, 2025
32 checks passed
@ThomasK33ThomasK33 deleted the fix/oauth2-app-deletion-logout branchJuly 7, 2025 17:57
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsJul 7, 2025
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@BrunoQuaresmaBrunoQuaresmaBrunoQuaresma approved these changes

@johnstcnjohnstcnjohnstcn approved these changes

Assignees

@ThomasK33ThomasK33

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

3 participants
@ThomasK33@johnstcn@BrunoQuaresma
[8]ページ先頭
©2009-2025 Movatter.jp