pass deny reason to login page

Plopmenz · Plopmenz · commit 7fc12af82c4f · 2026-01-28T17:51:36.000+01:00
diff --git a/astro-app/src/pages/api/validate.ts b/astro-app/src/pages/api/validate.ts
@@ -17,12 +17,12 @@ export const GET: APIRoute = async ({ request, cookies }) => {
   try {
     const domain = request.headers.get("Host");
     if (!domain) {
-      throw new Error();
+      throw new Error("Could not determine domain.");
     }
 
     const path = request.headers.get("Path");
     if (!path) {
-      throw new Error();
+      throw new Error("Could not determine domain.");
     }
 
     const ip = request.headers.get("X-Forwarded-For");
@@ -33,11 +33,11 @@ export const GET: APIRoute = async ({ request, cookies }) => {
       const timestamp = cookies.get("xnode_auth_timestamp")?.value;
 
       if (!isHex(signature)) {
-        throw new Error();
+        throw new Error(`Signature ${signature} is not valid hex.`);
       }
       if (!timestamp || isNaN(Number(timestamp))) {
         // add checks if timestamp in the future or too far in the past
-        throw new Error();
+        throw new Error(`Timestamp ${timestamp} is not a valid number.`);
       }
 
       const validSignature = await verifyXnodeUserEthAddress({
@@ -53,16 +53,17 @@ export const GET: APIRoute = async ({ request, cookies }) => {
       requestedUser = undefined;
     }
 
+    const users = ([] as string[])
+      .concat(ip ? [`ip:${ip}`] : [])
+      .concat(requestedUser ? [requestedUser] : []);
     const user = await hasAccess({
-      users: ([] as string[])
-        .concat(ip ? [`ip:${ip}`] : [])
-        .concat(requestedUser ? [requestedUser] : []),
+      users,
       domain,
       path,
     });
 
     if (user === undefined) {
-      throw new Error();
+      throw new Error(`Access denied for ${requestedUser}`);
     }
 
     return new Response(null, {
@@ -72,7 +73,10 @@ export const GET: APIRoute = async ({ request, cookies }) => {
   } catch (err: any) {
     return new Response(null, {
       status: 401,
-      headers: corsHeaders(request.headers),
+      headers: {
+        "Xnode-Auth-Deny-Reason": err.message,
+        ...corsHeaders(request.headers),
+      },
     });
   }
 };
diff --git a/nix/nixos-module.nix b/nix/nixos-module.nix
@@ -324,6 +324,7 @@ in
                 extraConfig = ''
                   auth_request /xnode-auth/api/validate;
                   auth_request_set $auth_resp_xnode_auth_user $upstream_http_xnode_auth_user;
+                  auth_request_set $auth_resp_xnode_auth_deny_reason $upstream_http_xnode_auth_deny_reason;
                   proxy_set_header Xnode-Auth-User $auth_resp_xnode_auth_user;
                   error_page 401 = @login;
                 '';
@@ -366,7 +367,7 @@ in
               '';
             };
             "@login" = {
-              return = "302 $scheme://$host${cfg.nginxConfig.subpath}?redirect=$scheme://$host$request_uri";
+              return = "302 $scheme://$host${cfg.nginxConfig.subpath}?redirect=$scheme://$host$request_uri&rejected=$auth_resp_xnode_auth_deny_reason";
             };
           }
         ];
