handle 410 errors from oauth/token (#19996)

GitOrigin-RevId: b4afe36db789959fa1496a15e0e604ae69969da4
2026-05-23 17:19:37 +02:00 · 2024-08-20 10:01:20 +01:00
parent 36141fea80
commit adec068ff4
1 changed files with 27 additions and 1 deletions
--- a/services/git-bridge/src/main/java/uk/ac/ic/wlgitbridge/server/Oauth2Filter.java
+++ b/services/git-bridge/src/main/java/uk/ac/ic/wlgitbridge/server/Oauth2Filter.java
@@ -46,10 +46,15 @@ public class Oauth2Filter implements Filter {
   *
   * So, for projects that need auth, we return 401. Git will swallow this
   * and prompt the user for user/pass, and then make a brand new request.
+   *
   * @param servletRequest
+   *
   * @param servletResponse
+   *
   * @param filterChain
+   *
   * @throws IOException
+   *
   * @throws ServletException
   */
  @Override
@@ -125,6 +130,15 @@ public class Oauth2Filter implements Filter {
          handleRateLimit(projectId, username, request, response);
        } else if (statusCode == 400 || statusCode == 401) {
          handleNeedAuthorization(projectId, username, request, response);
+        } else if (statusCode == 410) {
+          // 410 is returned from `web` though endpoint "/oauth/token" is not deprecated.
+          // Ideally, we should return 400 with proper error info in the response body.
+          // However, on the git-bridge side, `google-oauth-client` is used to request
+          // tokens, and there is no easy way to get response body as everything is
+          // encapsulated by the library.
+          // Hence we use http error code 410 to indicate password auth is deprecated for
+          // a user.
+          handlePasswordAuthenticationDeprecation(projectId, request, response);
        } else {
          handleUnknownOauthServerError(projectId, statusCode, request, response);
        }
@@ -271,6 +285,17 @@ public class Oauth2Filter implements Filter {
    sendResponse(response, 500, Arrays.asList("Unexpected server error. Please try again later."));
  }

+  private void handlePasswordAuthenticationDeprecation(
+      String projectId, HttpServletRequest request, HttpServletResponse response)
+      throws IOException {
+    Log.info("[{}] Password authentication deprecated, ip={}", projectId, getClientIp(request));
+    sendResponse(
+        response,
+        403,
+        Arrays.asList(
+            "Overleaf now only supports Git authentication tokens to access git. See: https://www.overleaf.com/learn/how-to/Git_integration_authentication_tokens"));
+  }
+
  /*
   * Gets the remote IP from the request.
   */
@@ -319,7 +344,8 @@ public class Oauth2Filter implements Filter {
  }

  /*
-   * Perform a password grant flow with the OAuth server and return an access token.
+   * Perform a password grant flow with the OAuth server and return an access
+   * token.
   *
   * The access token is null if the password grant flow was unsuccessful.
   */