这是indexloc提供的服务,不要输入任何密码
Skip to content

feat: better error when not enough scopes for SSO login #9948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Feb 14, 2025
+157 −1
Merged

feat: better error when not enough scopes for SSO login #9948

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7ca80a3
feat: better error when not enough scopes for SSO login
anthonyshew Feb 12, 2025
3e3627d
WIP
anthonyshew Feb 12, 2025
f5342e6
Update crates/turborepo-auth/src/lib.rs
anthonyshew Feb 14, 2025
8093c84
WIP
anthonyshew Feb 14, 2025
d17d1dd
WIP
anthonyshew Feb 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions crates/turborepo-auth/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,4 +32,6 @@ url = { workspace = true }
webbrowser = { workspace = true }

[dev-dependencies]
http = "1.1.0"
httpmock = { workspace = true }
port_scanner = { workspace = true }
154 changes: 153 additions & 1 deletion crates/turborepo-auth/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,33 @@ impl Token {
Ok(true)
}

async fn handle_sso_token_error<T: TokenClient>(
&self,
client: &T,
error: reqwest::Error,
) -> Result<bool, Error> {
if error.status() == Some(reqwest::StatusCode::FORBIDDEN) {
let metadata = self.fetch_metadata(client).await?;
if !metadata.token_type.is_empty() {
return Err(Error::APIError(turborepo_api_client::Error::InvalidToken {
status: error
.status()
.unwrap_or(reqwest::StatusCode::FORBIDDEN)
.as_u16(),
url: error
.url()
.map(|u| u.to_string())
.unwrap_or("Unknown url".to_string()),
message: error.to_string(),
}));
}
}

Err(Error::APIError(turborepo_api_client::Error::ReqwestError(
error,
)))
}

/// This is the same as `is_valid`, but also checks if the token is valid
/// for SSO.
///
Expand Down Expand Up @@ -158,7 +185,12 @@ impl Token {

Ok(true)
}
(Err(e), _) | (_, Err(e)) => Err(Error::APIError(e)),
(Err(e), _) | (_, Err(e)) => match e {
turborepo_api_client::Error::ReqwestError(e) => {
self.handle_sso_token_error(client, e).await
}
e => Err(Error::APIError(e)),
},
}
}

Expand Down Expand Up @@ -675,4 +707,124 @@ mod tests {
let result = Token::from_file(&file_path);
assert!(matches!(result, Err(Error::TokenNotFound)));
}

struct MockSSOTokenClient {
metadata_response: Option<ResponseTokenMetadata>,
}

impl TokenClient for MockSSOTokenClient {
async fn get_metadata(
&self,
_token: &str,
) -> turborepo_api_client::Result<ResponseTokenMetadata> {
if let Some(metadata) = &self.metadata_response {
Ok(metadata.clone())
} else {
Ok(ResponseTokenMetadata {
id: "test".to_string(),
name: "test".to_string(),
token_type: "".to_string(),
origin: "test".to_string(),
scopes: vec![],
active_at: current_unix_time() - 100,
created_at: 0,
})
}
}

async fn delete_token(&self, _token: &str) -> turborepo_api_client::Result<()> {
Ok(())
}
}

#[tokio::test]
async fn test_handle_sso_token_error_forbidden_with_invalid_token_error() {
let token = Token::new("test-token".to_string());
let client = MockSSOTokenClient {
metadata_response: Some(ResponseTokenMetadata {
id: "test".to_string(),
name: "test".to_string(),
token_type: "sso".to_string(),
origin: "test".to_string(),
scopes: vec![],
active_at: current_unix_time() - 100,
created_at: 0,
}),
};

let errorful_response = reqwest::Response::from(
http::Response::builder()
.status(reqwest::StatusCode::FORBIDDEN)
.body("")
.unwrap(),
);

let result = token
.handle_sso_token_error(&client, errorful_response.error_for_status().unwrap_err())
.await;
assert!(matches!(
result,
Err(Error::APIError(
turborepo_api_client::Error::InvalidToken { .. }
))
));
}

#[tokio::test]
async fn test_handle_sso_token_error_forbidden_without_token_type() {
let token = Token::new("test-token".to_string());
let client = MockSSOTokenClient {
metadata_response: Some(ResponseTokenMetadata {
id: "test".to_string(),
name: "test".to_string(),
token_type: "".to_string(),
origin: "test".to_string(),
scopes: vec![],
active_at: current_unix_time() - 100,
created_at: 0,
}),
};

let errorful_response = reqwest::Response::from(
http::Response::builder()
.status(reqwest::StatusCode::FORBIDDEN)
.body("")
.unwrap(),
);

let result = token
.handle_sso_token_error(&client, errorful_response.error_for_status().unwrap_err())
.await;
assert!(matches!(
result,
Err(Error::APIError(turborepo_api_client::Error::ReqwestError(
_
)))
));
}

#[tokio::test]
async fn test_handle_sso_token_error_non_forbidden() {
let token = Token::new("test-token".to_string());
let client = MockSSOTokenClient {
metadata_response: None,
};

let errorful_response = reqwest::Response::from(
http::Response::builder()
.status(reqwest::StatusCode::INTERNAL_SERVER_ERROR)
.body("")
.unwrap(),
);

let result = token
.handle_sso_token_error(&client, errorful_response.error_for_status().unwrap_err())
.await;
assert!(matches!(
result,
Err(Error::APIError(turborepo_api_client::Error::ReqwestError(
_
)))
));
}
}
Loading