Return HTTP Status 403 if org not found in /me

Fix returning non-standard status from AuthorizedUser

server/auth.go

@@ -95,7 +95,8 @@ func AuthorizedUser(
 		if p.Organization == "" {
 			defaultOrg, err := store.Organizations(serverCtx).DefaultOrganization(serverCtx)
 			if err != nil {
-				unknownErrorWithMessage(w, err, logger)
+				log.Error(fmt.Sprintf("Failed to retrieve the default organization: %v", err))
+				Error(w, http.StatusUnauthorized, "User is not authorized", logger)
 				return
 			}
 			p.Organization = fmt.Sprintf("%d", defaultOrg.ID)

server/me.go

@@ -217,10 +217,16 @@ func (s *Service) Me(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		currentOrg, err := s.Store.Organizations(serverCtx).Get(serverCtx, chronograf.OrganizationQuery{ID: &orgID})
+		if err == chronograf.ErrOrganizationNotFound {
+			// The intent is to force a the user to go through another auth flow
+			Error(w, http.StatusForbidden, "user's current organization was not found", s.Logger)
+			return
+		}
 		if err != nil {
 			unknownErrorWithMessage(w, err, s.Logger)
 			return
 		}
+
 		defaultOrgID := fmt.Sprintf("%d", defaultOrg.ID)
 		// If a user was added via the API, they might not yet be a member of the default organization
 		// Here we check to verify that they are a user in the default organization

server/me_test.go

@@ -168,6 +168,62 @@ func TestService_Me(t *testing.T) {
 			wantBody: `{"name":"me","roles":[{"name":"viewer","organization":"0"}],"provider":"github","scheme":"oauth2","links":{"self":"/chronograf/v1/users/0"},"organizations":[{"id":"0","name":"Default","public":true,"defaultRole":"viewer"}],"currentOrganization":{"id":"0","defaultRole":"viewer","name":"Default","public":true}}
 `,
 		},
+		{
+			name: "Existing user - organization doesn't exist",
+			args: args{
+				w: httptest.NewRecorder(),
+				r: httptest.NewRequest("GET", "http://example.com/foo", nil),
+			},
+			fields: fields{
+				UseAuth: true,
+				Logger:  log.New(log.DebugLevel),
+				OrganizationsStore: &mocks.OrganizationsStore{
+					DefaultOrganizationF: func(ctx context.Context) (*chronograf.Organization, error) {
+						return &chronograf.Organization{
+							ID:          0,
+							Name:        "Default",
+							DefaultRole: roles.ViewerRoleName,
+							Public:      true,
+						}, nil
+					},
+					GetF: func(ctx context.Context, q chronograf.OrganizationQuery) (*chronograf.Organization, error) {
+						switch *q.ID {
+						case 0:
+							return &chronograf.Organization{
+								ID:          0,
+								Name:        "Default",
+								DefaultRole: roles.ViewerRoleName,
+								Public:      true,
+							}, nil
+						}
+						return nil, chronograf.ErrOrganizationNotFound
+					},
+				},
+				UsersStore: &mocks.UsersStore{
+					GetF: func(ctx context.Context, q chronograf.UserQuery) (*chronograf.User, error) {
+						if q.Name == nil || q.Provider == nil || q.Scheme == nil {
+							return nil, fmt.Errorf("Invalid user query: missing Name, Provider, and/or Scheme")
+						}
+						return &chronograf.User{
+							Name:     "me",
+							Provider: "github",
+							Scheme:   "oauth2",
+						}, nil
+					},
+					UpdateF: func(ctx context.Context, u *chronograf.User) error {
+						return nil
+					},
+				},
+			},
+			principal: oauth2.Principal{
+				Subject:      "me",
+				Issuer:       "github",
+				Organization: "1",
+			},
+			wantStatus:      http.StatusForbidden,
+			wantContentType: "application/json",
+			wantBody:        `{"code":403,"message":"user's current organization was not found"}`,
+		},
 		{
 			name: "new user - default org is public",
 			args: args{