Improve error messages when using oidc with an existing account

If an account was created before locally (by signing up at docspell) and the same account is later tried to signin via openid, a better error message is shown in the logs to be able to act on it. The user won't see any details in the webapp. Issue: #1827 #1781
2025-02-15 20:33:26 +00:00 · 2022-11-04 20:45:30 +01:00 · 2022-11-04 20:45:30 +01:00 · 14643ae4d1
commit 14643ae4d1
parent dee7534e34
2 changed files with 14 additions and 2 deletions
--- a/modules/backend/src/main/scala/docspell/backend/auth/Login.scala
+++ b/modules/backend/src/main/scala/docspell/backend/auth/Login.scala
@ -73,8 +73,13 @@ object Login {
    case object InvalidAuth extends Result {
      val toEither = Left("Authentication failed.")
    }
+    case class InvalidAccountSource(account: AccountId) extends Result {
+      val toEither = Left(
+        s"The account '${account.asString}' already exists from a different source (local vs openid)!"
+      )
+    }
    case object InvalidTime extends Result {
-      val toEither = Left("Authentication failed.")
+      val toEither = Left("Authentication failed due expired authenticator.")
    }
    case object InvalidFactor extends Result {
      val toEither = Left("Authentication requires second factor.")
@ -85,6 +90,7 @@ object Login {
    def invalidAuth: Result = InvalidAuth
    def invalidTime: Result = InvalidTime
    def invalidFactor: Result = InvalidFactor
+    def invalidAccountSource(account: AccountId): Result = InvalidAccountSource(account)
  }

  def apply[F[_]: Async](store: Store[F], totp: Totp): Resource[F, Login[F]] =
@ -99,6 +105,8 @@ object Login {
          res <- data match {
            case Some(d) if checkNoPassword(d, Set(AccountSource.OpenId)) =>
              doLogin(config, d.account, false)
+            case Some(d) if checkNoPassword(d, Set(AccountSource.Local)) =>
+              Result.invalidAccountSource(accountId).pure[F]
            case _ =>
              Result.invalidAuth.pure[F]
          }
--- a/modules/restserver/src/main/scala/docspell/restserver/auth/OpenId.scala
+++ b/modules/restserver/src/main/scala/docspell/restserver/auth/OpenId.scala
@ -105,6 +105,7 @@ object OpenId {
    import dsl._

    for {
+      _ <- logger.debug(s"Setting up external account: ${accountId.asString}")
      setup <- backend.signup.setupExternal(ExternalAccount(accountId))
      res <- setup match {
        case SignupResult.Failure(ex) =>
@ -143,6 +144,7 @@ object OpenId {
    import dsl._

    for {
+      _ <- logger.debug(s"Login and verify external account: ${accountId.asString}")
      login <- backend.login.loginExternal(config.auth)(accountId)
      resp <- login match {
        case Login.Result.Ok(session, _) =>
@ -158,7 +160,9 @@ object OpenId {
            .map(_.addCookie(CookieData(session).asCookie(baseUrl)))

        case failed =>
-          logger.error(s"External login failed: $failed") *>
+          logger.error(
+            s"External login failed: $failed. ${failed.toEither.left.getOrElse("")}"
+          ) *>
            SeeOther(location)
      }
    } yield resp