From 07c9a9907e46357ee9587aeac485c0cb3fd9e355 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sun, 27 Jan 2019 14:45:44 +0000
Subject: [PATCH] Redirect the user to a configurable URL when accessing
 homepage by mistake

Fixes issue #6.
---
 server/config.go | 24 +++++++++++-------------
 server/http.go   | 15 +++++++++++++++
 2 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/server/config.go b/server/config.go
index d62160a..06f251e 100644
--- a/server/config.go
+++ b/server/config.go
@@ -36,6 +36,7 @@ type Config struct {
 	AuthService                string                    `yaml:"auth_service"`
 	U2FAppID                   string                    `yaml:"u2f_app_id"`
 	URLPrefix                  string                    `yaml:"url_path_prefix"`
+	HomepageRedirectURL        string                    `yaml:"homepage_redirect_url"`
 	DeviceManager              *device.Config            `yaml:"device_manager"`
 	KeyStore                   *clientutil.BackendConfig `yaml:"keystore"`
 	KeyStoreEnableGroups       []string                  `yaml:"keystore_enable_groups"`
@@ -45,26 +46,23 @@ type Config struct {
 }
 
 // Check syntax (missing required values).
+//
+// nolint: gocyclo
 func (c *Config) valid() error {
-	if c.SecretKeyFile == "" {
+	switch {
+	case c.SecretKeyFile == "":
 		return errors.New("secret_key_file is empty")
-	}
-	if c.PublicKeyFile == "" {
+	case c.PublicKeyFile == "":
 		return errors.New("public_key_file is empty")
-	}
-	if c.Domain == "" {
+	case c.Domain == "":
 		return errors.New("domain is empty")
-	}
-	if len(c.AllowedServices) == 0 {
+	case len(c.AllowedServices) == 0:
 		return errors.New("the list of allowed services is empty")
-	}
-	if c.AuthService == "" {
+	case c.AuthService == "":
 		return errors.New("auth_service is empty")
-	}
-	if c.U2FAppID != "" && !strings.HasPrefix(c.U2FAppID, "https://") {
+	case c.U2FAppID != "" && !strings.HasPrefix(c.U2FAppID, "https://"):
 		return errors.New("u2f_app_id does not start with https://")
-	}
-	if c.URLPrefix != "" && !strings.HasPrefix(c.URLPrefix, "/") {
+	case c.URLPrefix != "" && !strings.HasPrefix(c.URLPrefix, "/"):
 		return errors.New("url_path_prefix does not start with /")
 	}
 
diff --git a/server/http.go b/server/http.go
index a439be9..fc23864 100644
--- a/server/http.go
+++ b/server/http.go
@@ -93,6 +93,7 @@ type Server struct {
 	csrfSecret          []byte
 	tpl                 *template.Template
 	urlPrefix           string
+	homepageRedirectURL string
 }
 
 func sl2bl(sl []string) [][]byte {
@@ -120,6 +121,7 @@ func New(loginService *LoginService, authClient authclient.Client, config *Confi
 		authSessionStore:    store,
 		loginService:        loginService,
 		urlPrefix:           urlPrefix,
+		homepageRedirectURL: config.HomepageRedirectURL,
 		tpl:                 parseEmbeddedTemplates(),
 	}
 	if config.CSRFSecret != "" {
@@ -252,6 +254,19 @@ func (h *Server) handleHomepage(w http.ResponseWriter, req *http.Request, sessio
 		}
 	}
 
+	// If the above parameters are unset, we're probably faced with a user
+	// that reached this URL by other means. Redirect them to the
+	// configured homepageRedirectURL, or at least return a slightly more
+	// user-friendly error.
+	if service == "" || destination == "" {
+		if h.homepageRedirectURL != "" {
+			http.Redirect(w, req, h.homepageRedirectURL, http.StatusFound)
+		} else {
+			http.Error(w, "You are not supposed to reach this page directly. Use the back button in your browser instead.", http.StatusBadRequest)
+		}
+		return
+	}
+
 	// Make the authorization request.
 	token, err := h.loginService.Authorize(username, service, destination, nonce, groups)
 	if err != nil {
-- 
GitLab