add a block page to oidc on invallid credentials, fix inifinite login redirect

internal/net/gphttp/error.go

@@ -48,7 +48,6 @@ func ClientError(w http.ResponseWriter, err error, code ...int) {
 		w.Header().Set("Content-Type", "application/json")
 		json.NewEncoder(w).Encode(err)
 	} else {
-		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		http.Error(w, err.Error(), code[0])
 	}
 }
@@ -65,7 +64,8 @@ func BadRequest(w http.ResponseWriter, err string, code ...int) {
 	if len(code) == 0 {
 		code = []int{http.StatusBadRequest}
 	}
-	http.Error(w, err, code[0])
+	w.WriteHeader(code[0])
+	w.Write([]byte(err))
 }
 
 // Unauthorized returns an Unauthorized response with the given error message.
@@ -73,6 +73,11 @@ func Unauthorized(w http.ResponseWriter, err string) {
 	BadRequest(w, err, http.StatusUnauthorized)
 }
 
+// Forbidden returns a Forbidden response with the given error message.
+func Forbidden(w http.ResponseWriter, err string) {
+	BadRequest(w, err, http.StatusForbidden)
+}
+
 // NotFound returns a Not Found response with the given error message.
 func NotFound(w http.ResponseWriter, err string) {
 	BadRequest(w, err, http.StatusNotFound)

internal/net/gphttp/middleware/oidc.go

@@ -1,6 +1,7 @@
 package middleware
 
 import (
+	"errors"
 	"net/http"
 	"sync"
 	"sync/atomic"
@@ -80,11 +81,13 @@ func (amw *oidcMiddleware) before(w http.ResponseWriter, r *http.Request) (proce
 	}
 
 	if err := amw.auth.CheckToken(r); err != nil {
-		amw.authMux.ServeHTTP(w, r)
-		return false
-	}
-	if r.URL.Path == auth.OIDCLogoutPath {
-		amw.auth.LogoutCallbackHandler(w, r)
+		if errors.Is(err, auth.ErrMissingToken) {
+			amw.authMux.ServeHTTP(w, r)
+		} else if r.URL.Path == auth.OIDCLogoutPath {
+			amw.auth.LogoutCallbackHandler(w, r)
+		} else {
+			auth.WriteBlockPage(w, http.StatusForbidden, err.Error(), auth.OIDCLogoutPath)
+		}
 		return false
 	}
 	return true