feat: add oidc cycle breaker

2026-03-16 19:00:11 +01:00 · 2026-03-16 19:00:11 +01:00 · 25f3b19f50
commit 25f3b19f50
parent 92e6f07572
7 changed files with 74 additions and 34 deletions
--- a/test/mv_web/controllers/auth_controller_test.exs
+++ b/test/mv_web/controllers/auth_controller_test.exs
@ -363,6 +363,39 @@ defmodule MvWeb.AuthControllerTest do
      end
    end

+    test "returns 200 when OIDC-only but oidc_failed=1 (avoids redirect loop)", %{
+      conn: authenticated_conn
+    } do
+      {:ok, settings} = Membership.get_settings()
+
+      prev = %{
+        oidc_only: settings.oidc_only,
+        oidc_client_id: settings.oidc_client_id,
+        oidc_base_url: settings.oidc_base_url,
+        oidc_redirect_uri: settings.oidc_redirect_uri
+      }
+
+      {:ok, _} =
+        Membership.update_settings(settings, %{
+          oidc_only: true,
+          oidc_client_id: "test-client",
+          oidc_base_url: "https://idp.example.com",
+          oidc_redirect_uri: "http://localhost:4000/auth/user/oidc/callback",
+          oidc_client_secret: "test-secret"
+        })
+
+      try do
+        conn = build_unauthenticated_conn(authenticated_conn)
+        conn = get(conn, "/sign-in?oidc_failed=1")
+        assert conn.status == 200
+        # Sign-in page is shown, not redirect to OIDC
+        assert conn.resp_body =~ "Sign in" or conn.resp_body =~ "sign-in"
+      after
+        {:ok, s} = Membership.get_settings()
+        Membership.update_settings(s, prev)
+      end
+    end
+
    test "returns 200 when OIDC-only but OIDC not configured", %{conn: authenticated_conn} do
      {:ok, settings} = Membership.get_settings()
      original_oidc_only = Map.get(settings, :oidc_only, false)
@ -400,7 +433,7 @@ defmodule MvWeb.AuthControllerTest do

      conn = MvWeb.AuthController.failure(conn, {:oidc, :callback}, error)

-      assert redirected_to(conn) == ~p"/sign-in"
+      assert redirected_to(conn) == "/sign-in?oidc_failed=1"

      assert Phoenix.Flash.get(conn.assigns.flash, :error) ==
               "The authentication server is currently unavailable. Please try again later."
@ -422,7 +455,7 @@ defmodule MvWeb.AuthControllerTest do

      conn = MvWeb.AuthController.failure(conn, {:oidc, :callback}, error)

-      assert redirected_to(conn) == ~p"/sign-in"
+      assert redirected_to(conn) == "/sign-in?oidc_failed=1"

      assert Phoenix.Flash.get(conn.assigns.flash, :error) ==
               "Authentication configuration error. Please contact the administrator."
@ -436,7 +469,7 @@ defmodule MvWeb.AuthControllerTest do

      conn = MvWeb.AuthController.failure(conn, {:oidc, :callback}, unknown_reason)

-      assert redirected_to(conn) == ~p"/sign-in"
+      assert redirected_to(conn) == "/sign-in?oidc_failed=1"

      assert Phoenix.Flash.get(conn.assigns.flash, :error) ==
               "Unable to authenticate with OIDC. Please try again."