0001-auth_oidc-provide-a-less-scary-displayed-error-messa.patch
src/authentic2_auth_oidc/views.py | ||
---|---|---|
313 | 313 |
error = request.GET['error'] |
314 | 314 |
error_dict = self.errors.get(error, {}) |
315 | 315 |
level = error_dict.get('level', logging.WARNING) |
316 |
error_description = request.GET.get('error_description', error_dict.get('error_description')) |
|
316 |
remote_error_description = request.GET.get('error_description') |
|
317 |
local_error_description = error_dict.get('error_description') |
|
318 |
error_description = remote_error_description or local_error_description |
|
317 | 319 |
error_url = request.GET.get('error_url') |
318 | 320 | |
319 | 321 |
log_msg = 'auth_oidc: error received ' |
... | ... | |
325 | 327 |
log_msg += ' see %s' % error_url |
326 | 328 |
logger.log(level, log_msg) |
327 | 329 | |
328 |
if error_description: |
|
330 |
message_params = { |
|
331 |
'request_id': request.request_id, |
|
332 |
'provider_name': provider and provider.name, |
|
333 |
'error': error, |
|
334 |
} |
|
335 |
if provider: |
|
336 |
message = _( |
|
337 |
'Login with %(provider_name)s failed, please try again later and/or report ' |
|
338 |
'%(request_id)s to an administrator (%(error)s)' |
|
339 |
) |
|
340 |
else: |
|
341 |
message = _( |
|
342 |
'Login with OpenID Connect failed, please try again later and/or report %s to an ' |
|
343 |
'administrator. (%(error)s)' |
|
344 |
) |
|
345 | ||
346 |
messages.warning(request, local_error_description or message % message_params) |
|
347 |
if remote_error_description: # log a more precise error description for debugging purposes |
|
329 | 348 |
message = _('%(error_description)s (%(error)s)') % { |
330 |
'error_description': error_description, |
|
349 |
'error_description': remote_error_description,
|
|
331 | 350 |
'error': error, |
332 | 351 |
} |
333 |
messages.add_message(request, level, message) |
|
334 |
else: # unexpected error code |
|
335 |
message_params = { |
|
336 |
'request_id': request.request_id, |
|
337 |
'provider_name': provider and provider.name, |
|
338 |
'error': error, |
|
339 |
} |
|
340 |
if provider: |
|
341 |
message = _( |
|
342 |
'Login with %(provider_name)s failed, report %(request_id)s to an administrator (%(error)s)' |
|
343 |
) |
|
344 |
else: |
|
345 |
message = _('Login with OpenID Connect failed, report %s to an administrator. (%(error)s)') |
|
346 | ||
347 |
messages.warning(request, message % message_params) |
|
352 |
messages.debug(request, message) |
|
348 | 353 |
return self.continue_to_next_url(request) |
349 | 354 | |
350 | 355 |
tests/test_auth_oidc.py | ||
---|---|---|
25 | 25 | |
26 | 26 |
import pytest |
27 | 27 |
from django.contrib.auth import get_user_model |
28 |
from django.contrib.messages import constants as message_constants |
|
28 | 29 |
from django.core.exceptions import ValidationError |
29 | 30 |
from django.db import IntegrityError, transaction |
30 | 31 |
from django.http import QueryDict |
32 |
from django.test.utils import override_settings |
|
31 | 33 |
from django.urls import reverse |
32 | 34 |
from django.utils.encoding import force_str |
33 | 35 |
from django.utils.timezone import now, utc |
... | ... | |
1154 | 1156 | |
1155 | 1157 |
assert 'denied by you or the identity provider' in caplog.records[-1].message |
1156 | 1158 |
assert caplog.records[-1].levelname == 'INFO' |
1157 |
assert 'denied by you or the identity provider' in response.pyquery('.info').text() |
|
1158 |
assert 'access_denied' in response |
|
1159 |
assert 'denied by you or the identity provider' in response.pyquery('.warning').text() |
|
1160 |
assert 'access_denied' not in response # error code not logged in UI anymore |
|
1161 | ||
1162 |
response = app.get( |
|
1163 |
login_callback_url(oidc_provider), |
|
1164 |
params={ |
|
1165 |
'error': 'access_denied', |
|
1166 |
'error_description': 'some OP technical error message', |
|
1167 |
'state': state, |
|
1168 |
}, |
|
1169 |
) |
|
1170 |
response = response.maybe_follow() |
|
1171 |
assert 'denied by you or the identity provider' not in caplog.records[-1].message |
|
1172 |
assert 'some OP technical error message' in caplog.records[-1].message |
|
1173 | ||
1174 |
with override_settings(MESSAGE_LEVEL=message_constants.DEBUG): |
|
1175 |
response = app.get( |
|
1176 |
login_callback_url(oidc_provider), |
|
1177 |
params={ |
|
1178 |
'error': 'access_denied', |
|
1179 |
'error_description': 'some OP technical error message', |
|
1180 |
'state': state, |
|
1181 |
}, |
|
1182 |
) |
|
1183 | ||
1184 |
response = response.maybe_follow() |
|
1185 |
assert 'denied by you or the identity provider' in response.pyquery('.warning').text() |
|
1186 |
assert 'some OP technical error message (access_denied)' in response.pyquery('.debug').text() |
|
1159 | 1187 | |
1160 | 1188 | |
1161 | 1189 |
def test_error_other(app, caplog, oidc_provider_jwkset): |
1162 |
- |