From cf921447489d06aa82f183049519d63804c5e7f7 Mon Sep 17 00:00:00 2001
From: Stephen Birarda <commit@birarda.com>
Date: Wed, 28 Jun 2017 14:13:09 -0700
Subject: [PATCH] fix for OAuth OPTIONS firing on XHR 302

---
 domain-server/resources/web/js/tables.js | 42 ++++++++++++++++--------
 domain-server/src/DomainServer.cpp       | 29 ++++++++++------
 2 files changed, 47 insertions(+), 24 deletions(-)

diff --git a/domain-server/resources/web/js/tables.js b/domain-server/resources/web/js/tables.js
index 09f85a7047..600e5a5f8e 100644
--- a/domain-server/resources/web/js/tables.js
+++ b/domain-server/resources/web/js/tables.js
@@ -2,11 +2,11 @@ $(document).ready(function(){
   // setup the underscore templates
   var nodeTemplate = _.template($('#nodes-template').html());
   var queuedTemplate = _.template($('#queued-template').html());
-  
+
   // setup a function to grab the assignments
   function getNodesAndAssignments() {
     $.getJSON("nodes.json", function(json){
-      
+
       json.nodes.sort(function(a, b){
           if (a.type === b.type) {
             if (a.uptime < b.uptime) {
@@ -16,36 +16,50 @@ $(document).ready(function(){
             } else {
               return 0;
             }
-          } 
-              
+          }
+
           if (a.type === "agent" && b.type !== "agent") {
             return 1;
           } else if (b.type === "agent" && a.type !== "agent") {
             return -1;
           }
-          
+
           if (a.type > b.type) {
             return 1;
           }
-          
+
           if (a.type < b.type) {
             return -1;
-          }   
+          }
       });
-      
+
       $('#nodes-table tbody').html(nodeTemplate(json));
+    }).fail(function(jqXHR, textStatus, errorThrown) {
+      // we assume a 401 means the DS has restarted
+      // and no longer has our OAuth produced uuid
+      // so just reload and re-auth
+      if (jqXHR.status == 401) {
+        location.reload();
+      }
     });
-    
-    $.getJSON("assignments.json", function(json){      
+
+    $.getJSON("assignments.json", function(json){
       $('#assignments-table tbody').html(queuedTemplate(json));
+    }).fail(function(jqXHR, textStatus, errorThrown) {
+      // we assume a 401 means the DS has restarted
+      // and no longer has our OAuth produced uuid
+      // so just reload and re-auth
+      if (jqXHR.status == 401) {
+        location.reload();
+      }
     });
   }
-  
+
   // do the first GET on page load
   getNodesAndAssignments();
   // grab the new assignments JSON every two seconds
   var getNodesAndAssignmentsInterval = setInterval(getNodesAndAssignments, 2000);
-  
+
   // hook the node delete to the X button
   $(document.body).on('click', '.glyphicon-remove', function(){
     // fire off a delete for this node
@@ -57,10 +71,10 @@ $(document).ready(function(){
         }
     });
   });
-  
+
   $(document.body).on('click', '#kill-all-btn', function() {
     var confirmed_kill = confirm("Are you sure?");
-    
+
     if (confirmed_kill == true) {
       $.ajax({
         url: "/nodes/",
diff --git a/domain-server/src/DomainServer.cpp b/domain-server/src/DomainServer.cpp
index 8e3d04897b..9303bed2b5 100644
--- a/domain-server/src/DomainServer.cpp
+++ b/domain-server/src/DomainServer.cpp
@@ -2091,22 +2091,31 @@ bool DomainServer::isAuthenticatedRequest(HTTPConnection* connection, const QUrl
             // the user does not have allowed username or role, return 401
             return false;
         } else {
-            // re-direct this user to OAuth page
+            static const QByteArray REQUESTED_WITH_HEADER = "X-Requested-With";
+            static const QString XML_REQUESTED_WITH = "XMLHttpRequest";
 
-            // generate a random state UUID to use
-            QUuid stateUUID = QUuid::createUuid();
+            if (connection->requestHeaders().value(REQUESTED_WITH_HEADER) == XML_REQUESTED_WITH) {
+                // unauthorized XHR requests get a 401 and not a 302, since there isn't an XHR
+                // path to OAuth authorize
+                connection->respond(HTTPConnection::StatusCode401, UNAUTHENTICATED_BODY);
+            } else {
+                // re-direct this user to OAuth page
 
-            // add it to the set so we can handle the callback from the OAuth provider
-            _webAuthenticationStateSet.insert(stateUUID);
+                // generate a random state UUID to use
+                QUuid stateUUID = QUuid::createUuid();
 
-            QUrl authURL = oauthAuthorizationURL(stateUUID);
+                // add it to the set so we can handle the callback from the OAuth provider
+                _webAuthenticationStateSet.insert(stateUUID);
 
-            Headers redirectHeaders;
+                QUrl authURL = oauthAuthorizationURL(stateUUID);
 
-            redirectHeaders.insert("Location", authURL.toEncoded());
+                Headers redirectHeaders;
 
-            connection->respond(HTTPConnection::StatusCode302,
-                                QByteArray(), HTTPConnection::DefaultContentType, redirectHeaders);
+                redirectHeaders.insert("Location", authURL.toEncoded());
+
+                connection->respond(HTTPConnection::StatusCode302,
+                                    QByteArray(), HTTPConnection::DefaultContentType, redirectHeaders);
+            }
 
             // we don't know about this user yet, so they are not yet authenticated
             return false;