friend-oauth2
friend-oauth2 copied to clipboard
clojusc
Returning `nil` from `credential-fn` redirects to oauth2callback URL with 404 "Not Found"
Steps to reproduce:
- set up Friend with oauth2 workflow
- in
credential-fnreturn nil - log in
I'm redirected to http://localhost:56990/oauth2callback?state=<hash>&code=<code> and Ring says 404 not found.
It works as expected when I don't return nil from the callback (i.e. if I return a map with :identity).
Good question.
I guess what I'd expect is that the :unauthenticated-handler function would be called so that I can handle the failure. But as far as I can tell, it's not called (I'm using :allow-anon true).
Or maybe having sth like a :auth-failure-uri. Not sure if this already exists in Friend, the docs are not too great unfortunately and I couldn't find anything like that when I went through the sources.
Yeah, telling the user they are still unauthenticated makes sense to me I guess, perhaps along with some checks to warn the implementer they've messed up the credential-fn. Let me take a closer look at the code and get back to you--thanks for the heads up.
:+1:
BTW you say on the wiki for credential-fn that You can also return nil here if you decide that the token provided is invalid. This could be used to implement e.g. banning users. Which is basically exactly my use case - I only want to allow users with gmail accounts within a particular domain to log in. What I'm doing now is that I log them in and assign them the anonymous role...but I'd prefer if I could just prevent them from signing in altogether.