Redirect to login when external login initialization fails

[byewokko]

Issue

When external login initialization fails, the user gets stuck on an ugly bare error page.

Fix

Catch the error and redirect the user back to the login page.

Summary by CodeRabbit

• Bug Fixes

  • External login, signup, and account-pairing flows now consistently redirect to the login page on initialization or finalization failures, clear SSO state, and avoid exposing error pages.
  • External auth failures are now logged and handled to prevent unhandled exceptions from surfacing to users.

• New Features

  • External auth flows now surface consistent outcome indicators so redirects reflect success or specific failure conditions.

[coderabbitai]

Warning

Rate limit exceeded

@byewokko has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 43 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 13 minutes and 43 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fc84c643-e9b9-4ab6-b619-8cb6fb5997bd

📥 Commits

Reviewing files that changed from the base of the PR and between 4cab523 and 2c28126.

📒 Files selected for processing (1)

• seacatauth/external_login/authentication/service.py

📝 Walkthrough

Walkthrough

Added ExtLoginResult and ExtLoginError enums; updated external-login initialization and finalize flows to catch ExternalLoginError, return standardized error redirect responses (with SSO cookie deletion and resolved redirect URIs), replaced string literals with the new enums, and added a changelog pre-release entry v26.15-alpha1. Also added defensive error handling in the SAML provider when preparing auth requests.

Changes

Cohort / File(s)	Summary
Changelog CHANGELOG.md	Added pre-release entry v26.15-alpha1 documenting “Redirect to login when external login initialization fails”.
External Login Service seacatauth/external_login/authentication/service.py	Wrapped _prepare_external_auth_request(...) calls in initialize_*_with_ext_provider with try/except ExternalLoginError; on exception return _error_redirect_response(...) using ExtLoginResult.* (LOGIN_FAILED/SIGNUP_FAILED/PAIRING_FAILED), delete_sso_cookie=True, and resolved redirect_uri. Replaced raising RegistrationNotOpenError with an error redirect for signup. Replaced string result/error literals in finalize handlers with ExtLoginResult/ExtLoginError enums.
External Login Utils seacatauth/external_login/authentication/utils.py	Added two enums: ExtLoginResult (SIGNUP_SUCCESS, PAIRING_SUCCESS, LOGIN_SUCCESS, LOGIN_FAILED, SIGNUP_FAILED, PAIRING_FAILED) and ExtLoginError (REGISTRATION_DISABLED, NOT_AUTHENTICATED, ALREADY_EXISTS, NOT_FOUND, ACCESS_DENIED).
SAML Provider seacatauth/external_login/authentication/providers/saml.py	prepare_auth_request now wraps saml_client.prepare_for_authenticate(...) in try/except, logging and raising ExternalLoginError("Failed to prepare SAML authentication request.") with the original exception chained.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Client as Client
    participant Service as ExtLogin Service
    participant Provider as SAML/OAuth Provider
    participant Browser as Browser (Redirect)

    Client->>Service: initialize_login_with_ext_provider(request)
    Service->>Provider: _prepare_external_auth_request(...)
    alt provider prepares OK
        Provider-->>Service: auth request (redirect data)
        Service-->>Browser: 302 Redirect -> provider auth URL
        Browser-->>Provider: Browser follows redirect
    else provider raises / ExternalLoginError
        Provider-->>Service: raises ExternalLoginError
        Service-->>Service: log exception, build _error_redirect_response(result=LOGIN_FAILED, ext_login_error=ACCESS_DENIED/...)
        Service-->>Browser: 302 Redirect -> login/redirect_uri (delete SSO cookie)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Implement external login with SAML #516 — touches SAML external-login flow and hardening of SAML prepare_auth_request; likely related.

Poem

🐰 I nibble logs and mend the fray,
When SAML trips, I lead the way,
Enums in paw, redirects set right,
Cookies cleared so users alight,
v26.15 hops on into the night.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: catching external login initialization failures and redirecting users to the login page instead of showing bare error pages.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ext-login-init-error

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@seacatauth/external_login/authentication/service.py`:
- Around line 110-123: The try/except only catches ExternalLoginError, allowing
provider/library exceptions (e.g., from prepare_for_authenticate) to escape and
produce bare errors; wrap the call to self._prepare_external_auth_request in a
broader exception handler in all initialize paths (login, sign-up, pairing) so
any Exception is caught, logged, and handled by returning
self._error_redirect_response (same signature as the current ExternalLoginError
branch). Specifically update the call sites that invoke
_prepare_external_auth_request (referenced by AuthOperation.LogIn / sign-up /
pairing initialization methods) to catch Exception, log the provider and full
exception details, and return the same fallback redirect
(delete_sso_cookie=True, result="login_failed" or appropriate result for
sign-up/pairing) using _error_redirect_response so provider internals cannot
bypass the redirect flow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 240aab6e-8eb7-4f06-b062-c2c5ffebfbf1

📥 Commits

Reviewing files that changed from the base of the PR and between 67ccc58 and c634936.

📒 Files selected for processing (2)

• CHANGELOG.md
• seacatauth/external_login/authentication/service.py

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

seacatauth/external_login/authentication/service.py (1)

486-491: Use ExtLoginError.REGISTRATION_DISABLED in this branch too.

This is the one remaining signup-failure path still sending a raw string, so it sits outside the enum-based contract the rest of the file now uses.

♻️ Suggested cleanup

 		return await self._error_redirect_response(
 			self.LoginUri,
 			result=ExtLoginResult.SIGNUP_FAILED,
 			delete_sso_cookie=True,
-			ext_login_error="registration_disabled",
+			ext_login_error=ExtLoginError.REGISTRATION_DISABLED,
 			redirect_uri=self._get_final_redirect_uri(state)
 		)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@seacatauth/external_login/authentication/service.py` around lines 486 - 491,
Replace the raw string "registration_disabled" with the enum constant
ExtLoginError.REGISTRATION_DISABLED in the _error_redirect_response call so this
signup-failure branch follows the enum-based contract; update the call inside
the branch that returns await self._error_redirect_response(...,
result=ExtLoginResult.SIGNUP_FAILED, ext_login_error=...) to pass
ExtLoginError.REGISTRATION_DISABLED instead of the string, leaving other args
(delete_sso_cookie and redirect_uri=self._get_final_redirect_uri(state))
unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@seacatauth/external_login/authentication/service.py`:
- Around line 170-183: The pairing-init failure path deletes the active SSO
cookie and can log out an already-authenticated user; in the block that catches
ExternalLoginError after calling _prepare_external_auth_request for
AuthOperation.PairAccount, stop clearing the SSO cookie by passing
delete_sso_cookie=False (or omitting that flag) to _error_redirect_response so
existing sessions remain intact; update the catch in the method that calls
_prepare_external_auth_request (referenced by _prepare_external_auth_request,
AuthOperation.PairAccount, and _error_redirect_response) accordingly.

---

Nitpick comments:
In `@seacatauth/external_login/authentication/service.py`:
- Around line 486-491: Replace the raw string "registration_disabled" with the
enum constant ExtLoginError.REGISTRATION_DISABLED in the
_error_redirect_response call so this signup-failure branch follows the
enum-based contract; update the call inside the branch that returns await
self._error_redirect_response(..., result=ExtLoginResult.SIGNUP_FAILED,
ext_login_error=...) to pass ExtLoginError.REGISTRATION_DISABLED instead of the
string, leaving other args (delete_sso_cookie and
redirect_uri=self._get_final_redirect_uri(state)) unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 454a1bb3-1153-4662-a70b-1732687c7e32

📥 Commits

Reviewing files that changed from the base of the PR and between e64c724 and 4cab523.

📒 Files selected for processing (2)

• seacatauth/external_login/authentication/providers/saml.py
• seacatauth/external_login/authentication/service.py