Skip to content

Fix disabled-user bypass after online-to-offline transition#1583

Merged
nooreldeenmansour merged 1 commit into
mainfrom
fix-offline-disabled-account-bypass
Jun 15, 2026
Merged

Fix disabled-user bypass after online-to-offline transition#1583
nooreldeenmansour merged 1 commit into
mainfrom
fix-offline-disabled-account-bypass

Conversation

@nooreldeenmansour

@nooreldeenmansour nooreldeenmansour commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Member

Disabled-account checks were applied only at session start. When token
refresh fails with a network error, the session falls back to offline
without re-evaluating the cached disabled flags, allowing a disabled user
to log in if the network drops mid-auth.

Consolidate checks to the post-refresh block where all authentication paths
converge. This catches both offline-at-start and online→offline-fallback
cases. Removes duplicate logic and establishes a single canonical gate
before access grant.

UDENG-10645

Copilot AI reviewed Jun 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR closes a gap in the OIDC broker password-auth flow where a session that transitions to offline mode during token refresh (e.g., due to a network timeout) could previously proceed using cached credentials without re-applying cached “user/device disabled” flags.

Changes:

  • Re-check cached UserIsDisabled / DeviceIsDisabled flags after token-refresh fallback sets the session to offline.
  • Add regression test cases for online → offline transition during token refresh when user/device is disabled.
  • Add golden test fixtures for the new regression scenarios.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
authd-oidc-brokers/internal/broker/broker.go Adds a post-refresh offline disabled-status re-check to prevent offline login when cached flags indicate user/device is disabled.
authd-oidc-brokers/internal/broker/broker_test.go Adds regression tests covering network-error token refresh causing an online→offline transition with disabled user/device.
authd-oidc-brokers/internal/broker/testdata/golden/TestIsAuthenticated/Error_when_user_is_disabled_and_session_transitions_to_offline_due_to_network_error/first_call Golden output asserting access denied + user-disabled messaging on offline transition.
authd-oidc-brokers/internal/broker/testdata/golden/TestIsAuthenticated/Error_when_user_is_disabled_and_session_transitions_to_offline_due_to_network_error/data/provider_url/test-user@email.com/token.json Golden cached token fixture for the new user-disabled offline-transition scenario.
authd-oidc-brokers/internal/broker/testdata/golden/TestIsAuthenticated/Error_when_user_is_disabled_and_session_transitions_to_offline_due_to_network_error/data/provider_url/test-user@email.com/password Golden cached password fixture for the new user-disabled offline-transition scenario.
authd-oidc-brokers/internal/broker/testdata/golden/TestIsAuthenticated/Error_when_device_is_disabled_and_session_transitions_to_offline_due_to_network_error/first_call Golden output asserting access denied + device-disabled messaging on offline transition.
authd-oidc-brokers/internal/broker/testdata/golden/TestIsAuthenticated/Error_when_device_is_disabled_and_session_transitions_to_offline_due_to_network_error/data/provider_url/test-user@email.com/token.json Golden cached token fixture for the new device-disabled offline-transition scenario.
authd-oidc-brokers/internal/broker/testdata/golden/TestIsAuthenticated/Error_when_device_is_disabled_and_session_transitions_to_offline_due_to_network_error/data/provider_url/test-user@email.com/password Golden cached password fixture for the new device-disabled offline-transition scenario.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread authd-oidc-brokers/internal/broker/broker.go Outdated
@nooreldeenmansour nooreldeenmansour force-pushed the fix-offline-disabled-account-bypass branch 2 times, most recently from 76cd656 to ccfb31c Compare June 12, 2026 17:12
@nooreldeenmansour nooreldeenmansour changed the title fix: re-check disabled status after offline fallback during token refresh Fix disabled-user bypass after online-to-offline transition Jun 12, 2026
@nooreldeenmansour nooreldeenmansour marked this pull request as ready for review June 12, 2026 17:14
@nooreldeenmansour nooreldeenmansour force-pushed the fix-offline-disabled-account-bypass branch from ccfb31c to d814240 Compare June 12, 2026 17:18
@nooreldeenmansour nooreldeenmansour force-pushed the fix-offline-disabled-account-bypass branch 2 times, most recently from da6de45 to d814240 Compare June 12, 2026 19:11
@codecov

codecov Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.25%. Comparing base (f3b3e10) to head (0771f19).
⚠️ Report is 80 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1583   +/-   ##
=======================================
  Coverage   84.25%   84.25%           
=======================================
  Files          21       21           
  Lines        1162     1162           
=======================================
  Hits          979      979           
  Misses        183      183

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

adombeck
adombeck reviewed Jun 15, 2026
View reviewed changes
Comment thread authd-oidc-brokers/internal/broker/broker.go Outdated
@nooreldeenmansour
Fix disabled-user bypass after online-to-offline transition
0771f19 
Disabled-account checks were applied only at session start. When token
refresh fails with a network error, the session falls back to offline
without re-evaluating the cached disabled flags, allowing a disabled user
to log in if the network drops mid-auth.

Consolidate checks to the post-refresh block where all authentication paths
converge. This catches both offline-at-start and online→offline-fallback
cases. Removes duplicate logic and establishes a single canonical gate
before access grant.
@nooreldeenmansour nooreldeenmansour force-pushed the fix-offline-disabled-account-bypass branch from 97eb239 to 0771f19 Compare June 15, 2026 10:26
@nooreldeenmansour nooreldeenmansour merged commit e8528d4 into main Jun 15, 2026
10 checks passed
@nooreldeenmansour nooreldeenmansour deleted the fix-offline-disabled-account-bypass branch June 15, 2026 10:34
This was referenced Jun 16, 2026
Closed
Draft
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@adombeck adombeck adombeck approved these changes
@denisonbarbosa denisonbarbosa Awaiting requested review from denisonbarbosa
+1 more reviewer
Copilot code review Copilot Copilot left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nooreldeenmansour @adombeck