Bootstrap-styled error page for OAuth allowlist denial and other auth failures #57

New issue

Open

opened 2026-05-28 15:13:29 +00:00 by mik-tf · 0 comments

mik-tf commented

2026-05-28 15:13:29 +00:00

Owner

Today the auth failure response in hero_proxy_server is a bare HTTP body string, surfaced by the operator (mik-tf) walking through a denied SSO flow and landing on a near-unstyled Forge user not in admin allowlist page that looks like the browser's default error chrome. There are seven such sites in crates/hero_proxy_server/src/proxy.rs returning plaintext bodies for failures (Body::from("Email not in allowed list") at proxy.rs:533, Body::from("Forge user not in admin allowlist") at proxy.rs:540, Body::from("Unauthorized") at proxy.rs:387 for bearer auth, Body::from(format!("Signature auth failed: {e}")) at proxy.rs:455 and the missing bearer/signature header case around proxy.rs:461 to 466, plus one site in domain.rs). Proposal: add one Askama template oauth_error.html extending the same Bootstrap base the cockpit uses (hero_admin_lib), rendered for the three distinguishable error classes (not_in_allowlist, oauth_exchange_failed, bearer_or_signature_missing), with an industry-standard shape: clear "Sign in failed" heading, one-line plain-English reason, a "Try again" primary button that retriggers the OAuth dance, a secondary "Sign in with a different account" link that clears the session and re-OAuths, and a small "Need access? Contact the workspace admin." footer line. Estimated scope around 2 to 3 hours including the template, the three error-class wire points in proxy.rs, and a minimal integration test that asserts the error class lands as HTML with the right status code.

Signed-by: mik-tf mik-tf@noreply.invalid

Today the auth failure response in `hero_proxy_server` is a bare HTTP body string, surfaced by the operator (mik-tf) walking through a denied SSO flow and landing on a near-unstyled `Forge user not in admin allowlist` page that looks like the browser's default error chrome. There are seven such sites in `crates/hero_proxy_server/src/proxy.rs` returning plaintext bodies for failures (`Body::from("Email not in allowed list")` at proxy.rs:533, `Body::from("Forge user not in admin allowlist")` at proxy.rs:540, `Body::from("Unauthorized")` at proxy.rs:387 for bearer auth, `Body::from(format!("Signature auth failed: {e}"))` at proxy.rs:455 and the missing bearer/signature header case around proxy.rs:461 to 466, plus one site in `domain.rs`). Proposal: add one Askama template `oauth_error.html` extending the same Bootstrap base the cockpit uses (`hero_admin_lib`), rendered for the three distinguishable error classes (`not_in_allowlist`, `oauth_exchange_failed`, `bearer_or_signature_missing`), with an industry-standard shape: clear "Sign in failed" heading, one-line plain-English reason, a "Try again" primary button that retriggers the OAuth dance, a secondary "Sign in with a different account" link that clears the session and re-OAuths, and a small "Need access? Contact the workspace admin." footer line. Estimated scope around 2 to 3 hours including the template, the three error-class wire points in proxy.rs, and a minimal integration test that asserts the error class lands as HTML with the right status code. Signed-by: mik-tf <mik-tf@noreply.invalid>