NET-1064: Improved Oauth SignUp message prompts (#2875)

* add pending users api * insert user to pending users on first time oauth login * add pending user check on headless login * fix conflicting apis * no records error * add allowed emails domains for oauth singup to config * check if user is allowed to signup * improve oauth message prompts * handle trial enddate error logs
2025-09-09 22:55:02 +08:00 · 2024-04-03 23:59:44 +05:30 · 2024-04-03 23:59:44 +05:30 · b7c8b738d7
commit b7c8b738d7
parent dccb6b5da7
8 changed files with 47 additions and 30 deletions
--- a/auth/azure-ad.go
+++ b/auth/azure-ad.go
@ -67,7 +67,7 @@ func handleAzureCallback(w http.ResponseWriter, r *http.Request) {
 	}
 	// check if user approval is already pending
 	if logic.IsPendingUser(content.UserPrincipalName) {
-		handleOauthUserNotAllowed(w)
+		handleOauthUserSignUpApprovalPending(w)
 		return
 	}
 	_, err = logic.GetUser(content.UserPrincipalName)
@ -80,7 +80,7 @@ func handleAzureCallback(w http.ResponseWriter, r *http.Request) {
 				handleSomethingWentWrong(w)
 				return
 			}
-			handleOauthUserNotAllowed(w)
+			handleFirstTimeOauthUserSignUp(w)
 			return
 		} else {
 			handleSomethingWentWrong(w)
--- a/auth/error.go
+++ b/auth/error.go
@ -12,12 +12,26 @@ const oauthNotConfigured = `<!DOCTYPE html><html>

 const userNotAllowed = `<!DOCTYPE html><html>
 <body>
-<h3>Only Admins are allowed to access Dashboard.</h3>
-<h3>Furthermore, Admin has to approve your identity to have access to netmaker networks</h3>
-<p>Once your identity is approved, Non-Admins can access the netmaker networks using <a href="https://docs.netmaker.io/pro/rac.html" target="_blank" rel="noopener">RemoteAccessClient.</a></p>
+<h3>Only administrators can access the Dashboard. Please contact your administrator to elevate your account.</h3>
+<p>Non-Admins can access the netmaker networks using <a href="https://docs.netmaker.io/pro/rac.html" target="_blank" rel="noopener">RemoteAccessClient.</a></p>
 </body>
 </html>
 `
+
+const userFirstTimeSignUp = `<!DOCTYPE html><html>
+<body>
+<h3>Thank you for signing up. Please contact your administrator for access.</h3>
+</body>
+</html>
+`
+
+const userSignUpApprovalPending = `<!DOCTYPE html><html>
+<body>
+<h3>Your account is yet to be approved. Please contact your administrator for access.</h3>
+</body>
+</html>
+`
+
 const userNotFound = `<!DOCTYPE html><html>
 <body>
 <h3>User Not Found.</h3>
@ -26,13 +40,13 @@ const userNotFound = `<!DOCTYPE html><html>

 const somethingwentwrong = `<!DOCTYPE html><html>
 <body>
-<h3>Something went wrong. Contact Admin</h3>
+<h3>Something went wrong. Contact Admin.</h3>
 </body>
 </html>`

 const notallowedtosignup = `<!DOCTYPE html><html>
 <body>
-<h3>You are not allowed to SignUp.</h3>
+<h3>Your email is not allowed. Please contact your administrator.</h3>
 </body>
 </html>`

@ -47,6 +61,17 @@ func handleOauthUserNotAllowed(response http.ResponseWriter) {
 	response.WriteHeader(http.StatusForbidden)
 	response.Write([]byte(userNotAllowed))
 }
+func handleFirstTimeOauthUserSignUp(response http.ResponseWriter) {
+	response.Header().Set("Content-Type", "text/html; charset=utf-8")
+	response.WriteHeader(http.StatusForbidden)
+	response.Write([]byte(userFirstTimeSignUp))
+}
+
+func handleOauthUserSignUpApprovalPending(response http.ResponseWriter) {
+	response.Header().Set("Content-Type", "text/html; charset=utf-8")
+	response.WriteHeader(http.StatusForbidden)
+	response.Write([]byte(userSignUpApprovalPending))
+}

 func handleOauthUserNotAllowedToSignUp(response http.ResponseWriter) {
 	response.Header().Set("Content-Type", "text/html; charset=utf-8")
--- a/auth/github.go
+++ b/auth/github.go
@ -67,7 +67,7 @@ func handleGithubCallback(w http.ResponseWriter, r *http.Request) {
 	}
 	// check if user approval is already pending
 	if logic.IsPendingUser(content.Login) {
-		handleOauthUserNotAllowed(w)
+		handleOauthUserSignUpApprovalPending(w)
 		return
 	}
 	_, err = logic.GetUser(content.Login)
@ -80,7 +80,7 @@ func handleGithubCallback(w http.ResponseWriter, r *http.Request) {
 				handleSomethingWentWrong(w)
 				return
 			}
-			handleOauthUserNotAllowed(w)
+			handleFirstTimeOauthUserSignUp(w)
 			return
 		} else {
 			handleSomethingWentWrong(w)
--- a/auth/google.go
+++ b/auth/google.go
@ -69,7 +69,7 @@ func handleGoogleCallback(w http.ResponseWriter, r *http.Request) {
 	}
 	// check if user approval is already pending
 	if logic.IsPendingUser(content.Email) {
-		handleOauthUserNotAllowed(w)
+		handleOauthUserSignUpApprovalPending(w)
 		return
 	}
 	_, err = logic.GetUser(content.Email)
@ -82,7 +82,7 @@ func handleGoogleCallback(w http.ResponseWriter, r *http.Request) {
 				handleSomethingWentWrong(w)
 				return
 			}
-			handleOauthUserNotAllowed(w)
+			handleFirstTimeOauthUserSignUp(w)
 			return
 		} else {
 			handleSomethingWentWrong(w)
--- a/auth/oidc.go
+++ b/auth/oidc.go
@ -80,7 +80,7 @@ func handleOIDCCallback(w http.ResponseWriter, r *http.Request) {
 	}
 	// check if user approval is already pending
 	if logic.IsPendingUser(content.Email) {
-		handleOauthUserNotAllowed(w)
+		handleOauthUserSignUpApprovalPending(w)
 		return
 	}
 	_, err = logic.GetUser(content.Email)
@ -93,7 +93,7 @@ func handleOIDCCallback(w http.ResponseWriter, r *http.Request) {
 				handleSomethingWentWrong(w)
 				return
 			}
-			handleOauthUserNotAllowed(w)
+			handleFirstTimeOauthUserSignUp(w)
 			return
 		} else {
 			handleSomethingWentWrong(w)
--- a/logic/telemetry.go
+++ b/logic/telemetry.go
@ -39,10 +39,7 @@ func sendTelemetry() error {
 		return err
 	}
 	// get telemetry data
-	d, err := FetchTelemetryData()
-	if err != nil {
-		slog.Error("error fetching telemetry data", "error", err)
-	}
+	d := FetchTelemetryData()
 	// get tenant admin email
 	adminEmail := os.Getenv("NM_EMAIL")
 	client, err := posthog.NewWithConfig(posthog_pub_key, posthog.Config{Endpoint: posthog_endpoint})
@ -82,7 +79,7 @@ func sendTelemetry() error {
 }

 // FetchTelemetryData - fetches telemetry data: count of various object types in DB
-func FetchTelemetryData() (telemetryData, error) {
+func FetchTelemetryData() telemetryData {
 	var data telemetryData

 	data.IsPro = servercfg.IsPro
@ -92,21 +89,16 @@ func FetchTelemetryData() (telemetryData, error) {
 	data.Hosts = getDBLength(database.HOSTS_TABLE_NAME)
 	data.Version = servercfg.GetVersion()
 	data.Servers = getServerCount()
-	nodes, err := GetAllNodes()
-	if err == nil {
-		data.Nodes = len(nodes)
-		data.Count = getClientCount(nodes)
-	}
-	endDate, err := GetTrialEndDate()
-	if err != nil {
-		logger.Log(0, "error getting trial end date", err.Error())
-	}
+	nodes, _ := GetAllNodes()
+	data.Nodes = len(nodes)
+	data.Count = getClientCount(nodes)
+	endDate, _ := GetTrialEndDate()
 	data.ProTrialEndDate = endDate
 	if endDate.After(time.Now()) {
 		data.IsProTrial = true
 	}
 	data.IsSaasTenant = servercfg.DeployedByOperator()
-	return data, err
+	return data
 }

 // getServerCount returns number of servers from database
--- a/migrate/migrate.go
+++ b/migrate/migrate.go
@ -177,7 +177,7 @@ func removeInterGw(egressRanges []string) ([]string, bool) {
 func updateAcls() {
 	// get all networks
 	networks, err := logic.GetNetworks()
-	if err != nil {
+	if err != nil && !database.IsEmptyRecord(err) {
 		slog.Error("acls migration failed. error getting networks", "error", err)
 		return
 	}
--- a/pro/trial.go
+++ b/pro/trial.go
@ -42,7 +42,7 @@ const trial_data_key = "trialdata"

 // stores trial end date
 func initTrial() error {
-	telData, _ := logic.FetchTelemetryData()
+	telData := logic.FetchTelemetryData()
 	if telData.Hosts > 0 || telData.Networks > 0 || telData.Users > 0 {
 		return nil // database is already populated, so skip creating trial
 	}