admin/Authentication
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'rsa' into 'main'

Browse Source 
added more error logs

See merge request psa/uess/authn!4
This commit is contained in:
F04C
2026-02-27 10:20:00 +08:00
parent b68d706a46 b76eba9bf0
commit 64809792a2
1 changed files with 15 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
handlers/google_auth.go
+15 -2
View File
@@ -219,10 +219,12 @@ func GoogleCallback(w http.ResponseWriter, r *http.Request) {
}
if !emailExists {
helper.LogError(errors.New("unregistered email"), "Google login attempt with unregistered email: "+email)
if FetchedRedirectURI != nil && *FetchedRedirectURI != "" {
RedirectURI := *FetchedRedirectURI
log.Print("RedirectURI from query param: ", RedirectURI)
if !IsAllowedRedirectURI(RedirectURI) {
helper.LogError(errors.New("unauthorized redirect uri"), "Blocked redirect URI for unregistered email: "+RedirectURI)
helper.RespondWithError(w, http.StatusUnauthorized, "Unauthorized RedirectURI")
log.Print("Unauthorized RedirectURI: ", RedirectURI)
return
@@ -294,6 +296,7 @@ func GoogleCallback(w http.ResponseWriter, r *http.Request) {
err = helper.LogLoginEventV2(userID, ipAddress)
if err != nil {
helper.LogError(err, fmt.Sprintf("Failed to log login event. user_id=%s ip=%s", userID, ipAddress))
helper.RespondWithError(w, http.StatusBadGateway, "Failed to Log Login Event")
return
}
@@ -304,6 +307,7 @@ func GoogleCallback(w http.ResponseWriter, r *http.Request) {
RedirectURI := *FetchedRedirectURI
log.Print("RedirectURI from query param: ", RedirectURI)
if !IsAllowedRedirectURI(RedirectURI) {
helper.LogError(errors.New("unauthorized redirect uri"), "Blocked redirect URI after successful auth: "+RedirectURI)
helper.RespondWithError(w, http.StatusUnauthorized, "Unauthorized RedirectURI")
log.Print("Unauthorized RedirectURI: ", RedirectURI)
return
@@ -324,12 +328,21 @@ func GoogleCallback(w http.ResponseWriter, r *http.Request) {
func validateState(w http.ResponseWriter, r *http.Request) bool {
cookie, err := r.Cookie("oauth_state")
if err != nil || r.URL.Query().Get("state") != cookie.Value {
callbackState := r.URL.Query().Get("state")
if err != nil {
helper.LogError(err, "oauth_state cookie missing or unreadable during callback")
helper.LogWarn(errorInvalidState)
helper.RespondWithError(w, http.StatusUnauthorized, errorInvalidState)
return false
}
helper.LogInfo(fmt.Sprintf("Cookie state: %s, Callback state: %s", cookie.Value, r.URL.Query().Get("state")))
if callbackState != cookie.Value {
helper.LogError(errors.New("oauth state mismatch"), fmt.Sprintf("OAuth state mismatch. cookie_state=%s callback_state=%s", cookie.Value, callbackState))
helper.LogWarn(errorInvalidState)
helper.RespondWithError(w, http.StatusUnauthorized, errorInvalidState)
return false
}
helper.LogInfo(fmt.Sprintf("Cookie state: %s, Callback state: %s", cookie.Value, callbackState))
return true
}