From c7c67be49fb2b7307900db7e3da4b460f5603ac6 Mon Sep 17 00:00:00 2001
From: Stef Walter <stef@memberwebs.com>
Date: Wed, 8 Jul 2009 20:44:22 +0000
Subject: Add various messages when things go wrong. Don't try to authenticate
 POST.

---
 module/consumer.cc | 70 +++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 46 insertions(+), 24 deletions(-)

(limited to 'module/consumer.cc')

diff --git a/module/consumer.cc b/module/consumer.cc
index bc248ad..cbdcfe3 100644
--- a/module/consumer.cc
+++ b/module/consumer.cc
@@ -12,6 +12,7 @@ using opkele::association;
 using opkele::bad_input;
 using opkele::dumb_RP;
 using opkele::exception;
+using opkele::exception_curl;
 using opkele::failed_discovery;
 using opkele::failed_lookup;
 using opkele::failed_xri_resolution;
@@ -460,6 +461,14 @@ begin_auth (sid_request_t *req, Consumer &consumer, const string& trust_root,
 	params_t result;
 	string redirect;
 
+	/* We cannot authenticate anything but a GET request */
+	if (strcmp (sid_request_method (req), "GET") != 0) {
+		sid_request_respond_html (req, 401, "Must Login",
+		                          "<h1>Must Login</h1><p>You must be logged in before you can complete this action.</p>",
+		                          "<p><a href='", trust_root.c_str(), "'>Login</a></p>", NULL);
+		return;
+	}
+
 	try {
 		openid_message_t cm;
 		consumer.initiate (identity);
@@ -468,34 +477,44 @@ begin_auth (sid_request_t *req, Consumer &consumer, const string& trust_root,
 		redirect = cm.append_query (consumer.get_endpoint().uri);
 
 	} catch (failed_xri_resolution &ex) {
-		sid_request_respond (req, 503, "Invalid Identifier", NULL);
-		sid_request_log_error (req, "failed xri resolution while while discovering identity provider",
-		                       ex.what ());
+		sid_request_respond_html (req, 503, "Invalid Identifier",
+		                          "<h1>Invalid identifier</h1><p>Details: Could not resolve identity provider.</p>", NULL);
+		sid_request_log_error (req, "failed xri resolution while while discovering identity provider", ex.what ());
 		return;
 
 	} catch (failed_discovery &ex) {
-		sid_request_respond (req, 503, "Invalid Identifier", NULL);
-		sid_request_log_error (req, "failed discovery while while discovering identity provider",
-		                       ex.what ());
+		sid_request_respond_html (req, 503, "Invalid Identifier",
+		                          "<h1>Invalid identifier</h1><p>Details: Could not discover identity provider.</p>", NULL);
+		sid_request_log_error (req, "failed discovery while while discovering identity provider", ex.what ());
 		  return;
 
 	} catch (bad_input &ex) {
-		sid_request_respond (req, 503, "Invalid Identifier", NULL);
-		sid_request_log_error (req, "bad input while while discovering identity provider",
-		                       ex.what());
+		sid_request_respond_headers (req, 500, "Internal Server Error", NULL);
+		sid_request_log_error (req, "bad input to libopkele", ex.what());
+		return;
+
+	} catch (no_endpoint &ex) {
+		sid_request_respond_html (req, 503, "No Identity Provider",
+		                          "<h1>No identity provider</h1><p>Details: Could not contact a valid identity provider to authenticate you.</p>", NULL);
+		sid_request_log_error (req, "no more endpoints", ex.what());
+		return;
+
+	} catch (exception_curl &ex) {
+		sid_request_respond_html (req, 503, "Bad Identity Provider",
+		                          "<h1>Bad identity provider</h1><p>Details: Could not communicate with the identity provider to authenticate you.</p>", NULL);
+		sid_request_log_error (req, "could not contact identity provider", ex.what());
 		return;
 
 	} catch (exception &ex) {
-		sid_request_respond (req, 500, NULL, NULL);
-		sid_request_log_error (req, "error while while discovering identity provider",
-		                       ex.what());
+		sid_request_respond_headers (req, 500, NULL, NULL);
+		sid_request_log_error (req, "error while while discovering identity provider", ex.what());
 		return;
 	}
 
-	sid_request_respond (req, 307, "Moved Temporarily",
-	                     "Location", redirect.c_str(),
-	                     "Cache-Control", "no-cache",
-	                     NULL);
+	sid_request_respond_headers (req, 307, "Moved Temporarily",
+	                             "Location", redirect.c_str(),
+	                             "Cache-Control", "no-cache",
+	                             NULL);
 }
 
 static void
@@ -509,13 +528,13 @@ complete_auth (sid_request_t *req, Consumer &consumer, params_t &params,
 		sid_request_authenticated (req, identity.c_str());
 		parse_ax_attributes(req, params, attributes);
 	} catch (id_res_mismatch &ex) {
-		sid_request_respond (req, 403, "Signature mismatch", NULL);
+		sid_request_respond_headers (req, 403, "Signature mismatch", NULL);
 		sid_request_log_error (req, "signature did not match data", ex.what());
 	} catch (bad_input &ex) {
-		sid_request_respond (req, 403, "Bad authentication input", NULL);
+		sid_request_respond_headers (req, 403, "Bad authentication input", NULL);
 		sid_request_log_error (req, "bad input", ex.what());
 	} catch (id_res_bad_return_to &ex) {
-		sid_request_respond (req, 403, "Bad authenticated address", NULL);
+		sid_request_respond_headers (req, 403, "Bad authenticated address", NULL);
 		sid_request_log_error (req, "bad return to", ex.what());
 	} catch (id_res_failed &ex) {
 		/* If we don't have this association, then try again */
@@ -523,19 +542,22 @@ complete_auth (sid_request_t *req, Consumer &consumer, params_t &params,
 			sid_request_log_error (req, "response from invalid association, retrying authentication", NULL);
 			finished = false;
 		} else {
-			sid_request_respond (req, 503, "Service error, try again", NULL);
+			sid_request_respond_headers (req, 503, "Service error, try again", NULL);
 			sid_request_log_error (req, "checking response failed", ex.what());
 		}
 	} catch (exception &ex) {
-		sid_request_respond (req, 500, NULL, NULL);
+		sid_request_respond_headers (req, 500, NULL, NULL);
 		sid_request_log_error (req, "error while completing authentication", ex.what());
 	}
 }
 
 static void
-cancelled_auth (sid_request_t *req, Consumer &consumer, params_t &params)
+cancelled_auth (sid_request_t *req, Consumer &consumer, params_t &params, const string& return_to)
 {
-	sid_request_respond (req, 401, "Authentication Required", NULL);
+	sid_request_respond_html (req, 401, "Login Cancelled",
+	                          "<h1>Login Cancelled</h1>"
+	                          "<p>This website requires authentication, but the authentication process was cancelled.</p>",
+	                          "<p><a href='", return_to.c_str(), "'>Retry login</a></p>", NULL);
 }
 
 extern "C" void
@@ -567,7 +589,7 @@ sid_consumer_authenticate(sid_request_t *req, sid_storage_t *store,
 
 	/* Returning cancelled authentication */
 	if (openid.has_param("mode") && openid.get_param("mode") == "cancel") {
-		cancelled_auth (req, consumer, openid);
+		cancelled_auth (req, consumer, openid, url);
 
 	/* Begin a new authentication */
 	} else {
-- 
cgit v1.2.3