auth: Use config_error instead of JsonableError in remote_user_sso.

templates/zerver/config_error.html

@@ -93,6 +93,18 @@
                         </p>
                         {% endif %}
                     {% endif %}
+
+                    {% if remoteuser_error_backend_disabled %}
+                    <p>
+                        Authentication via the REMOTE_USER header is
+                        disabled in `/etc/zulip/settings.py`.
+                    </p>
+                    {% endif %}
+                    {% if remoteuser_error_remote_user_header_missing %}
+                    <p>
+                        The REMOTE_USER header is not set.
+                    </p>
+                    {% endif %}
                     <p>After making your changes, remember to restart
                     the Zulip server.</p>
                 </div>

zerver/tests/test_auth_backends.py

@@ -2225,7 +2225,10 @@ class TestZulipRemoteUserBackend(ZulipTestCase):
     def test_login_failure(self) -> None:
         email = self.example_email("hamlet")
         result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
-        self.assert_json_error(result, "This authentication backend is disabled.")
+        self.assertEqual(result.status_code, 302)
+
+        result = self.client_get(result["Location"])
+        self.assert_in_response("Authentication via the REMOTE_USER header is", result)
         self.assert_logged_in_user_id(None)
 
     def test_login_failure_due_to_nonexisting_user(self) -> None:
@@ -2245,7 +2248,10 @@ class TestZulipRemoteUserBackend(ZulipTestCase):
     def test_login_failure_due_to_missing_field(self) -> None:
         with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
             result = self.client_post('/accounts/login/sso/')
-            self.assert_json_error_contains(result, "No REMOTE_USER set.", 400)
+            self.assertEqual(result.status_code, 302)
+
+            result = self.client_get(result["Location"])
+            self.assert_in_response("The REMOTE_USER header is not set.", result)
 
     def test_login_failure_due_to_wrong_subdomain(self) -> None:
         email = self.example_email("hamlet")

zerver/views/auth.py

@@ -260,14 +260,12 @@ def remote_user_sso(request: HttpRequest,
         realm = None
 
     if not auth_enabled_helper([ZulipRemoteUserBackend.auth_backend_name], realm):
-        raise JsonableError(_("This authentication backend is disabled."))
+        return redirect_to_config_error("remoteuser/backend_disabled")
 
     try:
         remote_user = request.META["REMOTE_USER"]
     except KeyError:
-        # TODO: Arguably the JsonableError values here should be
-        # full-page HTML configuration errors instead.
-        raise JsonableError(_("No REMOTE_USER set."))
+        return redirect_to_config_error("remoteuser/remote_user_header_missing")
 
     # Django invokes authenticate methods by matching arguments, and this
     # authentication flow will not invoke LDAP authentication because of

zproject/urls.py

@@ -585,6 +585,12 @@ i18n_urls = [
     url(r'^config-error/saml$', TemplateView.as_view(
         template_name='zerver/config_error.html',),
         {'saml_error': True},),
+    url(r'^config-error/remoteuser/backend_disabled$', TemplateView.as_view(
+        template_name='zerver/config_error.html',),
+        {'remoteuser_error_backend_disabled': True},),
+    url(r'^config-error/remoteuser/remote_user_header_missing$', TemplateView.as_view(
+        template_name='zerver/config_error.html',),
+        {'remoteuser_error_remote_user_header_missing': True},),
 ]
 
 # Make a copy of i18n_urls so that they appear without prefix for english