From 092d7d04d65e9ca76b7065b97522c5019425bbe8 Mon Sep 17 00:00:00 2001
From: Mrugesh Mohapatra <1884376+raisedadead@users.noreply.github.com>
Date: Wed, 12 Oct 2022 20:28:21 +0530
Subject: [PATCH] feat(api): add redirect for users blocked by okta (#47992)

* feat(api): add redirect for users blocked by okta

* fix: redirect blocked users immediately

* fix: return early if no userInfo

We can't proceed without it, so we have to ask the user to try again.

Co-authored-by: Oliver Eyton-Williams <ojeytonwilliams@gmail.com>
---
 api-server/src/server/component-passport.js | 24 ++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/api-server/src/server/component-passport.js b/api-server/src/server/component-passport.js
index 5d7da3e42b0..2ef67379986 100644
--- a/api-server/src/server/component-passport.js
+++ b/api-server/src/server/component-passport.js
@@ -118,6 +118,25 @@ export const createPassportCallbackAuthenticator =
           return next(err);
         }
 
+        const state = req && req.query && req.query.state;
+        // returnTo, origin and pathPrefix are audited by getReturnTo
+        let { returnTo, origin, pathPrefix } = getReturnTo(state, jwtSecret);
+        const redirectBase = getPrefixedLandingPath(origin, pathPrefix);
+
+        const { error, error_description } = req.query;
+        if (error === 'access_denied') {
+          const blockedByLaw =
+            error_description === 'Access denied from your location';
+
+          // Do not show any error message, instead redirect to the blocked page, with details.
+          if (blockedByLaw) {
+            return res.redirectWithFlash(`${redirectBase}/blocked`);
+          }
+
+          req.flash('info', dedent`${error_description}.`);
+          return res.redirectWithFlash(`${redirectBase}/learn`);
+        }
+
         if (!user || !userInfo) {
           return res.redirect('/signin');
         }
@@ -140,11 +159,6 @@ we recommend using your email address: ${user.email} to sign in instead.
           req.login(user);
         }
 
-        const state = req && req.query && req.query.state;
-        // returnTo, origin and pathPrefix are audited by getReturnTo
-        let { returnTo, origin, pathPrefix } = getReturnTo(state, jwtSecret);
-        const redirectBase = getPrefixedLandingPath(origin, pathPrefix);
-
         // TODO: getReturnTo could return a success flag to show a flash message,
         // but currently it immediately gets overwritten by a second message. We
         // should either change the message if the flag is present or allow