Improved response to unauthorized user / Session token set with unauthorized user.

[russmac]

I was logging in my existing Gmail account automatically with existing cookie that was correctly not authorized for access due to domain.

However, The login appeared to succeed and the resource listing page displayed (with no data). Indicating login authorized , It would be good to redirect to loggedout or a 401.

The confidant_session token was also set despite logs showing failed authorization. It of course appears to be correctly unauthorized.

When I click create service I got this error. Which had me thinking my AWS infra was misnamed or my dynamodb tables had not been nuked before recreation during provisioning. It is due to the correct 403 on all v1/ resources.

{{ grantUpdateError }}

{{ saveError }}

The following credential pair keys conflict in the listed credentials:

Please ensure credential pair keys are unique, then try again.
Service ID {{ service.id || "Not set." }} {{ service.id || "Not set." }}
AWS Account {{ service.account }} No account scoping No account scoping
Service Enabled {{ service.enabled }} 

[ryan-lane]

Yep. We have an open issue for this: #64

Ideally this would redirect to another page that gave a proper error message, rather than logged out, so that people get an indication that they've made a mistake.

[russmac]

Apologies for the dupe.

[ryan-lane]

No worries! I'll think of a reasonable way of solving this :)

On Sep 6, 2016 10:21 PM, "Russell Maclean" [email protected] wrote:

Apologies for the dupe.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#99 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/ABd5MsndSezBtp5JAOjHsIZd3NkEQmP3ks5qnknSgaJpZM4J2ctE
.