Skip to content

Commit

Permalink
Avoid using oidc callback URL as post-login URL
Browse files Browse the repository at this point in the history 
Co-authored-by: Florent <[email protected]>
  • Loading branch information
@jonathanperret @fflorent
jonathanperret and fflorent committed Jan 16, 2025
1 parent d06def9 commit 34f12a4
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 6 deletions.
13 changes: 7 additions & 6 deletions app/client/models/gristUrlState.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,14 +97,15 @@ export function getWelcomeHomeUrl() {
return _buildUrl('welcome/home').href;
}

const FINAL_PATHS = ['/signed-out', '/account-deleted'];
const PATHS_TO_EXCLUDE_FROM_NEXT = ['/signed-out', '/account-deleted', '/oauth2/callback'];

// Returns the relative URL (i.e. path) of the current page, except when it's the
// "/signed-out" page or "/account-deleted", in which case it returns the home page ("/").
// Returns the relative URL (i.e. path) of the current page, except when it's a page
// that does not make sense to return to after login, such as "/signed-out"
// or "/account-deleted", in which case it returns the home page("/").
// This is a good URL to use for a post-login redirect.
function _getCurrentUrl(): string {
function _getPostLoginTargetUrl(): string {
const {hash, pathname, search} = new URL(window.location.href);
if (FINAL_PATHS.some(final => pathname.endsWith(final))) { return '/'; }
if (PATHS_TO_EXCLUDE_FROM_NEXT.some(path => pathname.endsWith(path))) { return '/'; }

return parseFirstUrlPart('o', pathname).path + search + hash;
}
Expand All @@ -114,7 +115,7 @@ function _getLoginLogoutUrl(
page: 'login'|'logout'|'signin'|'signup'|'account-deleted',
options: GetLoginOrSignupUrlOptions = {}
): string {
const {srcDocId, nextUrl = _getCurrentUrl()} = options;
const {srcDocId, nextUrl = _getPostLoginTargetUrl()} = options;
const startUrl = _buildUrl(page);
if (srcDocId) { startUrl.searchParams.set('srcDocId', srcDocId); }
if (nextUrl) { startUrl.searchParams.set('next', nextUrl); }
Expand Down
7 changes: 7 additions & 0 deletions test/client/models/gristUrlState.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -399,5 +399,12 @@ describe('gristUrlState', function() {
setWindowLocation('https://docs.getgrist.com/signed-out');
assert.equal(getLoginUrl(), 'https://docs.getgrist.com/login?next=%2F');
});

it('getLoginUrl should skip encoding redirect url on oauth2 callback page', function() {
setWindowLocation('http://localhost:8080/oauth2/callback?error=something');
assert.equal(getLoginUrl(), 'http://localhost:8080/login?next=%2F');
setWindowLocation('https://docs.getgrist.com/oauth2/callback?error=something');
assert.equal(getLoginUrl(), 'https://docs.getgrist.com/login?next=%2F');
});
});
});

0 comments on commit 34f12a4

Please sign in to comment.