diff --git a/cli/server.go b/cli/server.go
index 933ab64ab267a..745794a236200 100644
--- a/cli/server.go
+++ b/cli/server.go
@@ -1911,8 +1911,10 @@ func getGithubOAuth2ConfigParams(ctx context.Context, db database.Store, vals *c
}
params.clientID = GithubOAuth2DefaultProviderClientID
- params.allowEveryone = GithubOAuth2DefaultProviderAllowEveryone
params.deviceFlow = GithubOAuth2DefaultProviderDeviceFlow
+ if len(params.allowOrgs) == 0 {
+ params.allowEveryone = GithubOAuth2DefaultProviderAllowEveryone
+ }
return ¶ms, nil
}
diff --git a/cli/server_test.go b/cli/server_test.go
index d4031faf94fbe..64ad535ea34f3 100644
--- a/cli/server_test.go
+++ b/cli/server_test.go
@@ -314,6 +314,7 @@ func TestServer(t *testing.T) {
githubDefaultProviderEnabled string
githubClientID string
githubClientSecret string
+ allowedOrg string
expectGithubEnabled bool
expectGithubDefaultProviderConfigured bool
createUserPreStart bool
@@ -355,7 +356,9 @@ func TestServer(t *testing.T) {
if tc.githubDefaultProviderEnabled != "" {
args = append(args, fmt.Sprintf("--oauth2-github-default-provider-enable=%s", tc.githubDefaultProviderEnabled))
}
-
+ if tc.allowedOrg != "" {
+ args = append(args, fmt.Sprintf("--oauth2-github-allowed-orgs=%s", tc.allowedOrg))
+ }
inv, cfg := clitest.New(t, args...)
errChan := make(chan error, 1)
go func() {
@@ -439,6 +442,12 @@ func TestServer(t *testing.T) {
expectGithubEnabled: true,
expectGithubDefaultProviderConfigured: false,
},
+ {
+ name: "AllowedOrg",
+ allowedOrg: "coder",
+ expectGithubEnabled: true,
+ expectGithubDefaultProviderConfigured: true,
+ },
} {
tc := tc
t.Run(tc.name, func(t *testing.T) {
diff --git a/coderd/userauth.go b/coderd/userauth.go
index d8f52f79d2b60..3c1481b1f9039 100644
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@@ -922,7 +922,17 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
}
}
if len(selectedMemberships) == 0 {
- httpmw.CustomRedirectToLogin(rw, r, redirect, "You aren't a member of the authorized Github organizations!", http.StatusUnauthorized)
+ status := http.StatusUnauthorized
+ msg := "You aren't a member of the authorized Github organizations!"
+ if api.GithubOAuth2Config.DeviceFlowEnabled {
+ // In the device flow, the error is rendered client-side.
+ httpapi.Write(ctx, rw, status, codersdk.Response{
+ Message: "Unauthorized",
+ Detail: msg,
+ })
+ } else {
+ httpmw.CustomRedirectToLogin(rw, r, redirect, msg, status)
+ }
return
}
}
@@ -959,7 +969,17 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
}
}
if allowedTeam == nil {
- httpmw.CustomRedirectToLogin(rw, r, redirect, fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames), http.StatusUnauthorized)
+ msg := fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames)
+ status := http.StatusUnauthorized
+ if api.GithubOAuth2Config.DeviceFlowEnabled {
+ // In the device flow, the error is rendered client-side.
+ httpapi.Write(ctx, rw, status, codersdk.Response{
+ Message: "Unauthorized",
+ Detail: msg,
+ })
+ } else {
+ httpmw.CustomRedirectToLogin(rw, r, redirect, msg, status)
+ }
return
}
}
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy