Allow custom permission denied messages

c2FmZQ · Jan 30, 2025 · e10a51b · e10a51b
1 parent 02ca984
commit e10a51b
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### :wrench: Bug fixes
 
 * Handle quic.ErrTransportClosed correctly.
+* Allow customized permission denied messages.
 
 ## v0.15.0-rc1
 

diff --git a/proxy/backend-sso.go b/proxy/backend-sso.go
@@ -254,17 +254,21 @@ func (be *Backend) servePermissionDenied(w http.ResponseWriter, req *http.Reques
 		URL        string
 		DisplayURL string
 		Token      string
+		Message    template.HTML
 	}{
 		Email:      email,
 		URL:        url,
 		DisplayURL: url,
 		Token:      token,
+		Message:    template.HTML(be.SSO.HTMLMessage),
 	}
 	if len(data.DisplayURL) > 100 {
 		data.DisplayURL = data.DisplayURL[:97] + "..."
 	}
 	w.WriteHeader(http.StatusForbidden)
-	permissionDeniedTemplate.Execute(w, data)
+	if err := permissionDeniedTemplate.Execute(w, data); err != nil {
+		be.logErrorF("ERR permission-denied-template: %v", err)
+	}
 }
 
 func (be *Backend) enforceSSOPolicy(w http.ResponseWriter, req *http.Request) bool {
@@ -325,7 +329,9 @@ func (be *Backend) enforceSSOPolicy(w http.ResponseWriter, req *http.Request) bo
 			data.DisplayURL = data.DisplayURL[:97] + "..."
 		}
 		w.WriteHeader(http.StatusForbidden)
-		loginTemplate.Execute(w, data)
+		if err := loginTemplate.Execute(w, data); err != nil {
+			be.logErrorF("ERR login-template: %v", err)
+		}
 		return false
 	}
 	userID, _ := claims["email"].(string)

diff --git a/proxy/config.go b/proxy/config.go
@@ -648,6 +648,9 @@ type BackendSSO struct {
 	// Exceptions is a list of path prefixes that are exempt from SSO
 	// enforcement, e.g. /app.webmanifest or /favicon.png
 	Exceptions []string `yaml:"exceptions,omitempty"`
+	// HTMLMessage is displayed on the permission denied screen. The value
+	// is HTML and will be used as it is without escaping.
+	HTMLMessage string `yaml:"htmlMessage,omitempty"`
 	// SetUserIDHeader indicates that the x-tlsproxy-user-id header should
 	// be set with the email address of the user.
 	//

diff --git a/proxy/internal/passkeys/manager.go b/proxy/internal/passkeys/manager.go
@@ -164,7 +164,22 @@ type nonceData struct {
 }
 
 func (m *Manager) SetACL(acl *[]string) {
-	m.acl = acl
+	if acl == nil {
+		return
+	}
+	if m.acl == nil {
+		m.acl = new([]string)
+	}
+	v := make(map[string]bool)
+	for _, a := range *m.acl {
+		v[a] = true
+	}
+	for _, a := range *acl {
+		if v[a] {
+			continue
+		}
+		*m.acl = append(*m.acl, a)
+	}
 }
 
 func (m *Manager) vacuum() {
@@ -358,7 +373,9 @@ func (m *Manager) HandleCallback(w http.ResponseWriter, req *http.Request) {
 			data.Email, _ = redirectClaims["email"].(string)
 		}
 		w.Header().Set("X-Frame-Options", "DENY")
-		authTemplate.Execute(w, data)
+		if err := authTemplate.Execute(w, data); err != nil {
+			m.cfg.Logger.Errorf("ERR auth-template: %v", err)
+		}
 
 	case "AssertionOptions":
 		if req.Method != "POST" {

diff --git a/proxy/permission-denied-template.html b/proxy/permission-denied-template.html
@@ -23,6 +23,7 @@
 <div class="big">🛂</div>
 <div><em>{{.Email}}</em> is not permitted to access</div>
 <div id="target"><a href="{{.URL}}">{{.DisplayURL}}</a></div>
+{{- .Message }}
 </div>
 </body>
 </html>