fix(auth): don't log out on a post-auth 401/403 query error (e.g. UNKNOWN_USER)#19
Merged
Merged
Conversation
…NOWN_USER) ClickHouse maps several query-level errors to HTTP 403 — ACCESS_DENIED, and UNKNOWN_USER from `SHOW CREATE USER <missing>`. authedFetch treated any 401/403 as a credentials failure and force-logged-out, so an authenticated user running `SHOW CREATE USER 'nobody@x'` got booted to the login screen with the authorization-denied banner. Fix: track `ctx.authConfirmed` (set on the first 2xx). A 401/403 is only an auth/identity failure *before* the session has authenticated — that keeps the first-contact authorization-denied path (signed in via IdP but CH won't accept the identity). Once a request has succeeded, the same credentials are still valid, so a later 401/403 is a query error: return the response and let the caller show it in the results pane (or as a toast for SHOW CREATE), no logout. Verified on github.demo: `SHOW CREATE USER 'btyshkevich@gmail.com'` now shows "Code: 192 … UNKNOWN_USER" in the results pane and stays signed in; the existing user still returns its CREATE USER statement. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01QennTvGKAtJZrv9EpQagef
BorisTyshkevich
pushed a commit
that referenced
this pull request
Jun 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
On github.demo,
SHOW CREATE USER 'btyshkevich@altinity.com'(an existing user) works, butSHOW CREATE USER 'btyshkevich@gmail.com'(a missing user) logged the user out with:Cause
ClickHouse maps several query-level errors to HTTP 403 —
ACCESS_DENIED, andUNKNOWN_USERfromSHOW CREATE USER <missing>.authedFetchtreated any 401/403 as a credentials failure → refresh →onSignedOut, so a normal query error force-logged-out. (This is the over-broad flip side of the authorization-denied handling added in #11.)Fix
Track
ctx.authConfirmed, set on the first 2xx. A 401/403 is only treated as an auth/identity failure before the session has authenticated — preserving the first-contact "signed in via IdP but CH won't accept your identity" path. After a request has succeeded, the same credentials are still good, so a later 401/403 is a query error:authedFetchreturns the response and the caller surfaces it (results pane, or a toast for SHOW CREATE) — no logout. Token expiry is unaffected (handled bygetToken/refreshbefore the request; a failed refresh still routes to the expiry sign-out).Tests / verification
ch-client.jsstays at 100%; added cases for "a 2xx marks the ctx authenticated" and "a post-auth 403 is returned, not signed-out". Verified live on github.demo: the missing user now showsCode: 192 … UNKNOWN_USERin the results pane and stays signed in; the existing user still returns itsCREATE USER …statement.🤖 Generated with Claude Code
https://claude.ai/code/session_01QennTvGKAtJZrv9EpQagef