[BUG]: Missing error handlers for oidc failure cause 500 Server Error #289

New issue

Open

opened 2025-12-12 15:21:30 +01:00 by simon · 0 comments

simon commented

2025-12-12 15:21:30 +01:00

Owner

AuthController: Missing error handlers for Assent errors cause 500 Server Error

Description

When the OIDC server (Rauthy) is unreachable or there's a configuration error (e.g., invalid client_secret), the application throws a FunctionClauseError and returns a 500 error instead of a user-friendly error message.

Root Cause

The handle_rauthy_failure/2 function in MvWeb.AuthController only has pattern matches for:

%Ash.Error.Invalid{}
%AshAuthentication.Errors.AuthenticationFailed{}

It does not handle Assent-specific errors:

%Assent.ServerUnreachableError{} - OIDC server is offline/unreachable
%Assent.InvalidResponseError{} - OIDC server returns an error (401, 403, etc.)

Steps to Reproduce

Scenario 1: Server unreachable

Stop the OIDC server: docker compose stop rauthy
Click "Sign in with OIDC"
→ 500 Internal Server Error with FunctionClauseError

Scenario 2: Invalid configuration

Configure an invalid client_secret in .env
Click "Sign in with OIDC"
→ 500 Internal Server Error

Expected Behavior

User-friendly error message like "The authentication server is currently unavailable. Please try again later." with redirect to sign-in page.

Actual Behavior

** (FunctionClauseError) no function clause matching in MvWeb.AuthController.handle_rauthy_failure/2

Proposed Solution

Add catch-all handler and/or specific handlers for Assent errors in handle_rauthy_failure/2:
ixir

Handle server unreachable

defp handle_rauthy_failure(conn, %Assent.ServerUnreachableError{request_url: url}) do
Logger.error("OIDC server unreachable: #{url}")
redirect_with_error(conn, gettext("The authentication server is currently unavailable. Please try again later."))
end

Handle invalid response (e.g., wrong client_secret, 401/403)

defp handle_rauthy_failure(conn, %Assent.InvalidResponseError{response: response}) do
Logger.error("OIDC invalid response: #{inspect(response.body)}")
redirect_with_error(conn, gettext("Authentication configuration error. Please contact the administrator."))
end

Catch-all for any other unexpected errors

defp handle_rauthy_failure(conn, reason) do
Logger.error("Unexpected OIDC error: #{inspect(reason)}")
redirect_with_error(conn, gettext("Unable to authenticate with OIDC. Please try again."))
end### Affected File

lib/mv_web/controllers/auth_controller.ex (lines 64-79)

## AuthController: Missing error handlers for Assent errors cause 500 Server Error ### Description When the OIDC server (Rauthy) is unreachable or there's a configuration error (e.g., invalid `client_secret`), the application throws a `FunctionClauseError` and returns a 500 error instead of a user-friendly error message. ### Root Cause The `handle_rauthy_failure/2` function in `MvWeb.AuthController` only has pattern matches for: - `%Ash.Error.Invalid{}` - `%AshAuthentication.Errors.AuthenticationFailed{}` It does **not** handle Assent-specific errors: - `%Assent.ServerUnreachableError{}` - OIDC server is offline/unreachable - `%Assent.InvalidResponseError{}` - OIDC server returns an error (401, 403, etc.) ### Steps to Reproduce **Scenario 1: Server unreachable** 1. Stop the OIDC server: `docker compose stop rauthy` 2. Click "Sign in with OIDC" 3. → 500 Internal Server Error with `FunctionClauseError` **Scenario 2: Invalid configuration** 1. Configure an invalid `client_secret` in `.env` 2. Click "Sign in with OIDC" 3. → 500 Internal Server Error ### Expected Behavior User-friendly error message like "The authentication server is currently unavailable. Please try again later." with redirect to sign-in page. ### Actual Behavior ** (FunctionClauseError) no function clause matching in MvWeb.AuthController.handle_rauthy_failure/2 ### Proposed Solution Add catch-all handler and/or specific handlers for Assent errors in `handle_rauthy_failure/2`: ixir # Handle server unreachable defp handle_rauthy_failure(conn, %Assent.ServerUnreachableError{request_url: url}) do Logger.error("OIDC server unreachable: #{url}") redirect_with_error(conn, gettext("The authentication server is currently unavailable. Please try again later.")) end # Handle invalid response (e.g., wrong client_secret, 401/403) defp handle_rauthy_failure(conn, %Assent.InvalidResponseError{response: response}) do Logger.error("OIDC invalid response: #{inspect(response.body)}") redirect_with_error(conn, gettext("Authentication configuration error. Please contact the administrator.")) end # Catch-all for any other unexpected errors defp handle_rauthy_failure(conn, reason) do Logger.error("Unexpected OIDC error: #{inspect(reason)}") redirect_with_error(conn, gettext("Unable to authenticate with OIDC. Please try again.")) end### Affected File `lib/mv_web/controllers/auth_controller.ex` (lines 64-79)