forked from louketo/louketo-proxy
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy patherrors.go
112 lines (97 loc) · 3.38 KB
/
errors.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
package main
import (
"context"
"errors"
"fmt"
"net/http"
"path"
"strings"
"go.uber.org/zap"
)
var (
// ErrSessionNotFound no session found in the request
ErrSessionNotFound = errors.New("authentication session not found")
// ErrNoSessionStateFound means there was not persist state
ErrNoSessionStateFound = errors.New("no session state found")
// ErrInvalidSession the session is invalid
ErrInvalidSession = errors.New("invalid session identifier")
// ErrAccessTokenExpired indicates the access token has expired
ErrAccessTokenExpired = errors.New("the access token has expired")
// ErrRefreshTokenExpired indicates the refresh token as expired
ErrRefreshTokenExpired = errors.New("the refresh token has expired")
// ErrNoTokenAudience indicates their is not audience in the token
ErrNoTokenAudience = errors.New("the token does not audience in claims")
// ErrDecryption indicates we can't decrypt the token
ErrDecryption = errors.New("failed to decrypt token")
// ErrEncode indicates a failure to encode the token
ErrEncode = errors.New("failed to encode token")
// ErrEncryption indicates a failure to encrypt the token
ErrEncryption = errors.New("failed to encrypt token")
)
func methodNotAllowedHandler(w http.ResponseWriter, req *http.Request) {
errorResponse(w, "", http.StatusMethodNotAllowed)
_, _ = w.Write(nil)
}
func methodNotFoundHandler(w http.ResponseWriter, req *http.Request) {
errorResponse(w, "", http.StatusNotFound)
_, _ = w.Write(nil)
}
//nolint:contextcheck
func (r *oauthProxy) errorResponse(w http.ResponseWriter, req *http.Request, msg string, code int, err error) {
span, logger := r.traceSpanRequest(req)
if err == nil {
logger.Warn(msg, zap.Int("http_status", code))
} else {
switch code {
case http.StatusInternalServerError:
// we log internal server errors as ERROR
logger.Error(msg, zap.Int("http_status", code), zap.Error(err))
default:
// we log user errors as WARNING
logger.Warn(msg, zap.Int("http_status", code), zap.Error(err))
}
}
if span != nil {
_ = traceError(span, err, code)
}
errorResponse(w, msg, code)
}
func noSniff(w http.ResponseWriter) {
w.Header().Set(headerXContentTypeOptions, "nosniff")
}
func errorResponse(w http.ResponseWriter, msg string, code int) {
w.Header().Set("Content-Type", jsonMime)
noSniff(w)
w.WriteHeader(code)
if len(msg) > 0 {
fmt.Fprintf(w, `{"error": %q}`, msg)
}
}
// accessForbidden redirects the user to the forbidden page
func (r *oauthProxy) accessForbidden(w http.ResponseWriter, req *http.Request, msgs ...string) context.Context {
_, logger := r.traceSpanRequest(req)
// are we using a custom http template for 403?
if r.config.hasCustomForbiddenPage() {
w.Header().Set("Content-Type", "text/html; charset=utf-8")
noSniff(w)
w.WriteHeader(http.StatusForbidden)
name := path.Base(r.config.ForbiddenPage)
if err := r.Render(w, name, r.config.Tags); err != nil {
logger.Error("failed to render the template", zap.Error(err), zap.String("template", name))
}
} else {
var msg string
if len(msgs) > 0 {
r.log.Warn("user forbidden access", zap.Strings("extra_messages", msgs))
switch len(msgs) {
case 1:
msg = msgs[0]
default: // > 1
msg = strings.Join(msgs[:2], " ")
}
}
// extraMsg goes to log but only the 2 first ones are to be returned as end user error
r.errorResponse(w, req, msg, http.StatusForbidden, nil)
}
return r.revokeProxy(w, req)
}