feat: introduce and handle error if a user is not in any of the required groups

Signed-off-by: Aljoscha Bollmann <aljoscha.bollmann@proton.me>

connector/connector.go

@@ -3,9 +3,22 @@ package connector
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 )
 
+// UserNotInRequiredGroupsError is returned by a connector when a user
+// successfully authenticates but is not a member of any of the required groups.
+// The server will respond with HTTP 403 Forbidden instead of 500.
+type UserNotInRequiredGroupsError struct {
+	UserID string
+	Groups []string
+}
+
+func (e *UserNotInRequiredGroupsError) Error() string {
+	return fmt.Sprintf("user %q is not in any of the required groups %v", e.UserID, e.Groups)
+}
+
 // Connector is a mechanism for federating login to a remote identity service.
 //
 // Implementations are expected to implement either the PasswordConnector or

server/errors.go

@@ -23,4 +23,8 @@ const (
 
 	// ErrMsgMethodNotAllowed is shown when an unsupported HTTP method is used.
 	ErrMsgMethodNotAllowed = "Method not allowed."
+
+	// ErrMsgNotInRequiredGroups is shown when a user authenticates successfully
+	// but is not a member of any of the groups required by the connector.
+	ErrMsgNotInRequiredGroups = "You are not a member of any of the required groups to authenticate."
 )

server/handlers.go

@@ -7,6 +7,7 @@ import (
 	"crypto/subtle"
 	"encoding/base64"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"html/template"
 	"net/http"
@@ -487,7 +488,12 @@ func (s *Server) handleConnectorCallback(w http.ResponseWriter, r *http.Request)
 
 	if err != nil {
 		s.logger.ErrorContext(r.Context(), "failed to authenticate", "err", err)
-		s.renderError(r, w, http.StatusInternalServerError, ErrMsgAuthenticationFailed)
+		var groupsErr *connector.UserNotInRequiredGroupsError
+		if errors.As(err, &groupsErr) {
+			s.renderError(r, w, http.StatusForbidden, ErrMsgNotInRequiredGroups)
+		} else {
+			s.renderError(r, w, http.StatusInternalServerError, ErrMsgAuthenticationFailed)
+		}
 		return
 	}