feat(api): add redirect for users blocked by okta (#47992)

* feat(api): add redirect for users blocked by okta * fix: redirect blocked users immediately * fix: return early if no userInfo We can't proceed without it, so we have to ask the user to try again. Co-authored-by: Oliver Eyton-Williams <ojeytonwilliams@gmail.com>
2026-04-13 22:00:19 -04:00 · 2022-10-12 20:28:21 +05:30
parent 06765555c1
commit 092d7d04d6
1 changed files with 19 additions and 5 deletions
--- a/api-server/src/server/component-passport.js
+++ b/api-server/src/server/component-passport.js
@@ -118,6 +118,25 @@ export const createPassportCallbackAuthenticator =
          return next(err);
        }

+        const state = req && req.query && req.query.state;
+        // returnTo, origin and pathPrefix are audited by getReturnTo
+        let { returnTo, origin, pathPrefix } = getReturnTo(state, jwtSecret);
+        const redirectBase = getPrefixedLandingPath(origin, pathPrefix);
+
+        const { error, error_description } = req.query;
+        if (error === 'access_denied') {
+          const blockedByLaw =
+            error_description === 'Access denied from your location';
+
+          // Do not show any error message, instead redirect to the blocked page, with details.
+          if (blockedByLaw) {
+            return res.redirectWithFlash(`${redirectBase}/blocked`);
+          }
+
+          req.flash('info', dedent`${error_description}.`);
+          return res.redirectWithFlash(`${redirectBase}/learn`);
+        }
+
        if (!user || !userInfo) {
          return res.redirect('/signin');
        }
@@ -140,11 +159,6 @@ we recommend using your email address: ${user.email} to sign in instead.
          req.login(user);
        }

-        const state = req && req.query && req.query.state;
-        // returnTo, origin and pathPrefix are audited by getReturnTo
-        let { returnTo, origin, pathPrefix } = getReturnTo(state, jwtSecret);
-        const redirectBase = getPrefixedLandingPath(origin, pathPrefix);
-
        // TODO: getReturnTo could return a success flag to show a flash message,
        // but currently it immediately gets overwritten by a second message. We
        // should either change the message if the flag is present or allow