fix(login): avoid false login failures for robot accounts#942
Open
SeeyaVhora wants to merge 1 commit into
Open
fix(login): avoid false login failures for robot accounts#942SeeyaVhora wants to merge 1 commit into
SeeyaVhora wants to merge 1 commit into
Conversation
During harbor login, the connection is actively verified using the GetCurrentUserInfo endpoint. However, robot accounts are system-level identities and not standard users, so GET /users/current returns a 403 Forbidden. Previously, validateClientConnection treated HTTP 403 as a definite authentication validation failure, immediately aborting the login. This broke automation and CI/CD flows utilizing robot accounts. This patch refactors validateClientConnection to: 1. Treat only HTTP 401 Unauthorized as a definite authentication failure. 2. Gracefully fall back to secondary verification endpoints (Ping & ListProjects) when GetCurrentUserInfo returns a 403 or other unexpected API/transport errors. 3. Accept HTTP 403 Forbidden from ListProjects (in addition to 200 OK) as successful verification, as long as Ping succeeds, ensuring highly restricted robot accounts can still log in successfully. Also adds a comprehensive mock-based test suite using httptest.NewServer covering human login, invalid credentials, and standard/restricted robot accounts. Signed-off-by: Seeya Vhora <seeyavhora5557@gmail.com>
SeeyaVhora
force-pushed
the
fix-robot-login
branch
from
6bdbe2a to
f6aabc9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
harbor loginwith valid robot account credentials can incorrectly trigger an authentication failure during connection validation.Root Cause Analysis
/users/currentAPI endpoint throughGetCurrentUserInfo./users/currentendpoint, Harbor returns a403 Forbiddenresponse instead of a standard user profile response.validateClientConnectionpreviously handled403 Forbiddenidentically to401 Unauthorized, causing robot account authentication to fail during validation even though authentication itself succeeded successfully.Validation Behavior Matrix
What Changed
401 Unauthorizedis now treated as the only definitive authentication failure during the primary validation step.403 Forbiddenresponses now gracefully fall back to secondary/projectsand/pingreachability validation checks instead of immediately failing the login flow.403 Forbiddenresponse from the/projectsfallback as successful validation when/pingsucceeds.Test Coverage
httptest.NewServer.200 OK.401 Unauthorized.403 Forbiddenon/users/currentwhile successfully passing fallback validation endpoints./projectsreturns403 Forbiddenbut/pingsucceeds successfully.Fixes #941