Skip to content

Use internal errors status codes during authentication flow #9540

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Sep 21, 2025
Merged

Use internal errors status codes during authentication flow #9540

merged 6 commits into from
Sep 21, 2025

Conversation

itaiad200
Copy link
Contributor

Closes #9539

@itaiad200 itaiad200 added the include-changelog PR description should be included in next release changelog label Sep 21, 2025
Isan-Rivkin
Isan-Rivkin requested changes Sep 21, 2025
View reviewed changes
pkg/api/auth_middleware.go Outdated
"group": groupName,
"user": u.Username,
}).Error("Failed to add external user to group")
return nil, fmt.Errorf("add user to group: %w", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know the existing flow is not perfect but this changes behavior (for both SAML / OIDC).
At this point in the code the user is already created. Re-running this after an error will not re-attach the user.
We allowed this since one of the groups may not always exist at first or be even deleted in the future.
If we with an error here, enhanceWithFriendlyName will not run and the call will result in an error.

IMO either leave it as-is or, change order of operations.
The correct behavior is to complete enhanceWithFriendlyName since this is a user model operation and they were created in this call.
Then, try attaching to groups and if we return an error due to that make sure we reflect that to the user.

pkg/auth/service.go
if err != nil {
a.logger.WithError(err).WithField("username", username).Error("failed to get user")
return nil, err
return nil, fmt.Errorf("%v: %w", err, ErrInternalServerError)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Commenting here but, below - also validate HTTP status code in resp?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

guy-har
guy-har approved these changes Sep 21, 2025
View reviewed changes
Copy link
Contributor

@guy-har guy-har left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@itaiad200 itaiad200 merged commit 823cd51 into master Sep 21, 2025
40 checks passed
@itaiad200 itaiad200 deleted the 9539-fix-auth-internal-server-error branch September 21, 2025 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Isan-Rivkin Isan-Rivkin Isan-Rivkin approved these changes

@guy-har guy-har guy-har approved these changes

@nopcoder nopcoder Awaiting requested review from nopcoder

Assignees

No one assigned

Labels

include-changelog PR description should be included in next release changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: lakeFS remote authenticator returns 401 on internal server error

3 participants

@itaiad200 @Isan-Rivkin @guy-har