Skip to content

Admin Web IDE OAuth mismatch callout: account for relative url

Cindy Halim requested to merge 475276-fix-relative-url-oauth-admin into master

What does this MR do and why?

Currently we display the Web IDE OAuth mismatch callout in the Admin Area page if the request origin does not match any of the OAuth applications' redirect URL's origin. This may not necessary be true when taking relative urls into consideration. This MR aims to fix this case

To be safe, we should check if any of the redirect URLs listed matches the expected redirect URL with the following pattern: <base_url>/<relative_url>/-/ide/oauth_redirect as we do in the frontend: Fix relative_url_root Web IDE OAuth issues (!161328 - merged).

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

With match No match

with_match.png

no_match.png

Observed when:

  • Request origin and callback URLs' origin don't match
  • Relative URL mismatches

How to set up and validate locally

Prerequisites:

Enable Web IDE OAuth flag 1\\. Make sure that \\\\\\\`web_ide_oauth\\\\\\\` feature flag is enabled by visiting \\\\\\\`/gitlab/rails/features\\\\\\\`
Test out different domain case

1. Access the admin page via http://172.16.123.1:3000/gitlab/admin

Test out relative URL case: set up relative_url_root locally in your GDK
  1. Stop GDK with gdk stop
  2. Add relative_url_root: "/gitlab" to your gdk.yml
  3. Run gdk reconfigure
  4. In resulting Procfile, add -authBackend http://localhost:8080/gitlab to the end of the line that starts with gitlab-workhorse: (this is an issue with gitlab-workhorse I discovered while testing. We'll fix the Procfile generation in a separate MR)
  5. Start GDK with gdk start
  6. Now you can visit the GDK at /gitlab
  7. IMPORTANT: You might also need to disable vite, since that seems to have relative_url_root issues. https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/configuration.md#vite-settings

Steps:

  • In the Admin Area home page, should only observe callout if no base URL match found from the Web IDE OAuth application redirect URIs.
Edited by Cindy Halim

Merge request reports