8000 fix(site): prevent ExtractAPIKey from dirtying the HTML output by mafredri · Pull Request #8450 · coder/coder · GitHub
[go: up one dir, main page]
Skip to content

fix(site): prevent ExtractAPIKey from dirtying the HTML output #8450

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 12, 2023
Merged

fix(site): prevent ExtractAPIKey from dirtying the HTML output #8450

merged 6 commits into from
Jul 12, 2023

Conversation

mafredri
Copy link
Member

If httpmw.ExtractAPIKey fails when we are rendering an HTML page, the
HTML output will be dirtied with the error repsonse and the HTTP status
will also be wrong.

The use of this function in the renderHTMLWithState is additive, and
failure means we simply can't embed static data. To fix this, we can
simply pass a http.ResponseWriter that is no-op.

Fixes #8351

@mafredri mafredri requested review from kylecarbs and Emyrk July 12, 2023 09:40
@mafredri mafredri mentioned this pull request Jul 12, 2023
Closed
@mafredri mafredri force-pushed the mafredri/fix-site-oauth branch from 90f3a55 to df0ce70 Compare July 12, 2023 09:49
@mafredri
fix(site): prevent ExtractAPIKey from dirtying the HTML output
630a40a 
If `httpmw.ExtractAPIKey` fails when we are rendering an HTML page, the
HTML output will be dirtied with the error repsonse and the HTTP status
will also be wrong.

The use of this function in the `renderHTMLWithState` is additive, and
failure means we simply can't embed static data. To fix this, we can
simply pass a `http.ResponseWriter` that is no-op.

Fixes #8351
@mafredri mafredri force-pushed the mafredri/fix-site-oauth branch from df0ce70 to 630a40a Compare July 12, 2023 09:51
johnstcn
johnstcn reviewed Jul 12, 2023
View reviewed changes
site/site.go Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to add a unit test that ossifies this behaviour? It would be sad if we had another regression on this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, I'm looking into this currently 👍🏻

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Covered in 54406d9 (#8450):

coder@w ~/src/coder/coder mafredri/fix-site-oauth*
❯ go test ./site -run=TestInjectionFailure -v
=== RUN   TestInjectionFailureProducesCleanHTML
=== PAUSE TestInjectionFailureProducesCleanHTML
=== CONT  TestInjectionFailureProducesCleanHTML
    site_test.go:114:
        	Error Trace:	/home/coder/src/coder/coder/site/site_test.go:114
        	Error:      	Not equal:
        	            	expected: 200
        	            	actual  : 500
        	Test:       	TestInjectionFailureProducesCleanHTML
--- FAIL: TestInjectionFailureProducesCleanHTML (0.00s)
FAIL
FAIL	github.com/coder/coder/site	0.042s
FAIL

coder@w ~/src/coder/coder mafredri/fix-site-oauth*
❯ go test ./site -run=TestInjectionFailure -v
=== RUN   TestInjectionFailureProducesCleanHTML
=== PAUSE TestInjectionFailureProducesCleanHTML
=== CONT  TestInjectionFailureProducesCleanHTML
    site_test.go:116:
        	Error Trace:	/home/coder/src/coder/coder/site/site_test.go:116
        	Error:      	Not equal:
        	            	expected: "<html></html>"
        	            	actual  : "{\n\t\"message\": \"An internal error occurred. Please try again or contact the system administrator.\",\n\t\"detail\": \"Unable to refresh OAuth token for login type \\\"github\\\". No OAuth2Configs provided. Contact an administrator to configure this login type.\"\n}\n<html></html>"

        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1 +1,5 @@
        	            	+{
        	            	+	"message": "An internal error occurred. Please try again or contact the system administrator.",
        	            	+	"detail": "Unable to refresh OAuth token for login type \"github\". No OAuth2Configs provided. Contact an administrator to configure this login type."
        	            	+}
        	            	 <html></html>
        	Test:       	TestInjectionFailureProducesCleanHTML
--- FAIL: TestInjectionFailureProducesCleanHTML (0.00s)
FAIL
FAIL	github.com/coder/coder/site	0.031s
FAIL

coder@w ~/src/coder/coder mafredri/fix-site-oauth*
❯ go test ./site -run=TestInjectionFailure -v
=== RUN   TestInjectionFailureProducesCleanHTML
=== PAUSE TestInjectionFailureProducesCleanHTML
=== CONT  TestInjectionFailureProducesCleanHTML
--- PASS: TestInjectionFailureProducesCleanHTML (0.01s)
PASS
ok  	github.com/coder/coder/site	0.053s

johnstcn
johnstcn reviewed Jul 12, 2023
View reviewed changes
site/site_test.go
Comment on lines +95 to +99
siteFS := fstest.MapFS{
"index.html": &fstest.MapFile{
Data: []byte("<html>{{ .User }}</html>"),
},
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIL about testing/fstest ❤️

Emyrk
Emyrk approved these changes Jul 12, 2023
View reviewed changes
Copy link
Member
@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neat test! 👍

site/site.go
Comment on lines +296 to +297
noopRW := noopResponseWriter{}
apiKey, actor, ok := httpmw.ExtractAPIKey(noopRW, r, httpmw.ExtractAPIKeyConfig{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes a lot of sense.

I think the FE has code where if a static value is not populated statically, it defaults to using the API. so there should never be an error, just an empty static field.

@mafredri mafredri merged commit f6a8a5f into main Jul 12, 2023
@mafredri mafredri deleted the mafredri/fix-site-oauth branch July 12, 2023 12:38
@github-actions github-actions bot locked and limited conversation to collaborators Jul 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@johnstcn johnstcn johnstcn approved these changes

@Emyrk Emyrk Emyrk approved these changes

@kylecarbs kylecarbs Awaiting requested review from kylecarbs

Assignees

@mafredri mafredri

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Occasional "panic serving http request"
3 participants
@mafredri @johnstcn @Emyrk
0