feat(web): introduction of an access denied page

[rocketproto]

When a user does not have the required permissions, a redirection url to a new 'Access Denied' page is passed back to the reverse proxy along with the 403 error code. This follows the same sequence as an unauthenticated user getting redirected to the login. The Access Denied page presents the user with an option to logout, as well as the details of the page they were denied access to.

Work includes a slight refactor of authz handlers to allow for code reuse.

Also includes a simple 'demo home' button injected into the development login page to allow for easier navigation back to home.example.com for the Standalone suite.

Fixes #2319.

Summary by CodeRabbit

• New Features

  • Added error handling routes and views in the web application.
  • Introduced new authorization handling for access-denied scenarios.
  • Enhanced redirection mechanisms for unauthorized and forbidden access.

• Refactor

  • Improved authorization logic to better handle different types of requests and responses.
  • Consolidated similar functions to streamline codebase and improve maintenance.

• Bug Fixes

  • Adjusted error handling in the nginx configuration to support both 401 and 403 errors.

• Documentation

  • Updated comments and logging for clearer understanding and troubleshooting.

• Style

  • Implemented new UI components for displaying errors and loading states in the web application.

[authelia]

Thanks for choosing to contribute @rocketproto. We lint all PR's with golangci-lint and eslint, I may add a review to your PR with some suggestions.

You are free to apply the changes if you're comfortable, alternatively you are welcome to ask a team member for advice.

Artifacts

These changes once approved by a team member will be published for testing on Buildkite, DockerHub and GitHub Container Registry.

Docker Container

• docker pull authelia/authelia:PR7251
• docker pull ghcr.io/authelia/authelia:PR7251

[coderabbitai]

Walkthrough

The recent updates primarily focus on refining the authorization handling across various modules in the system. New methods and types have been introduced to manage forbidden access more effectively, along with improvements in redirection logic and error handling. Additionally, enhancements in the web interface include new error views and better management of query parameters and loading states.

Changes

File Path	Change Summary
internal/handlers/...	Refactored and added methods for handling authorization and forbidden access, improved error redirection and logging.
web/src/...	Introduced new components and constants for error handling, updated existing views with new loading components, and refined the configuration setup.
internal/suites/.../nginx.conf	Modified nginx configuration to handle multiple error codes for redirection.

Assessment against linked issues

Objective	Addressed	Explanation
Create a deny page [#2319]	✅	The introduction of ForbiddenError.tsx and modifications in authorization handlers to redirect to error pages effectively address this requirement.

---

Recent Review Details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between bd9e477 and 3caaa6c.

Files selected for processing (1)

• internal/handlers/handler_authz_impl_legacy.go (1 hunks)

Files skipped from review as they are similar to previous changes (1)

• internal/handlers/handler_authz_impl_legacy.go

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[autheliabot]

🚫 [golangci] _{reported by reviewdog 🐶}
return statements should not be cuddled if block has more than two lines (wsl)

[rocketproto]

For quick view:

The access denied page:

Noting the "Demo Home" link is only injected into the page by the vite config while being served in the demo container. It will not be in the production build.

[coderabbitai]

Actionable comments posted: 5

[coderabbitai]

Add documentation for handleForbidden.

It's important to maintain consistency in code documentation. Please add a comment describing the purpose and usage of the handleForbidden field in the Authz struct.

[coderabbitai]

Add documentation for HandlerAuthzForbidden.

The new handler type HandlerAuthzForbidden is missing documentation. Please provide a comment explaining what this handler function is responsible for, similar to the other handler types in this file.

[coderabbitai]

Add documentation for queryArgEC.

The new constant queryArgEC is added but lacks documentation. Please add a comment explaining what this constant represents and how it is used within the application.

[coderabbitai]

Add documentation for baseErrorPath and errorForbidden.

The newly introduced variables baseErrorPath and errorForbidden are missing descriptive comments. Please add documentation to explain their purposes and contexts in which they are used.

[coderabbitai]

Review the status code conditions in setSpecialRedirect.

The condition in the setSpecialRedirect method seems overly complex and might be error-prone. Consider simplifying this condition to improve readability and maintainability.

[Henkow]

Great work, just a question. If the user who got denied haven't setup TOTP and the denied resource mandates TOTP, will the user then have the ability to request a TOTP token? Because that is the case with the current implementation if you go back to the same URL after the 403 and apply /authelia.

I think the current implementation is incorrect. I have a user specifically for one_factor proxies, I don't want that user to have the ability to request a TOTP token if the user in question is not permitted to the resource to begin with.