Merge pull request #78 from Wikia/PLATFORM-7433

PLATFORM-7433 take over return_to param from settings to login flow

Author: harnash

selfservice/flow/settings/handler.go

@@ -2,6 +2,7 @@ package settings
 
 import (
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/julienschmidt/httprouter"
@@ -18,6 +19,7 @@ import (
 	"github.com/ory/kratos/schema"
 	"github.com/ory/kratos/selfservice/errorx"
 	"github.com/ory/kratos/selfservice/flow"
+	"github.com/ory/kratos/selfservice/flow/login"
 	"github.com/ory/kratos/session"
 	"github.com/ory/kratos/text"
 	"github.com/ory/kratos/ui/node"
@@ -85,7 +87,17 @@ func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic) {
 		if x.IsJSONRequest(r) {
 			h.d.Writer().WriteError(w, r, session.NewErrNoActiveSessionFound())
 		} else {
-			http.Redirect(w, r, h.d.Config(r.Context()).SelfServiceFlowLoginUI().String(), http.StatusSeeOther)
+			// Fandom-start - take over return_to param from settings to login flow
+			// upstream PR https://github.com/ory/kratos/pull/2787
+			// TODO: use url.JoinPath (available in go 1.19)
+			loginPath := strings.TrimRight(h.d.Config(r.Context()).SelfPublicURL().String(), "/") + login.RouteInitBrowserFlow
+			redirectUrl, err := x.TakeOverReturnToParameter(r.URL.String(), loginPath)
+			if err != nil {
+				http.Redirect(w, r, h.d.Config(r.Context()).SelfServiceFlowLoginUI().String(), http.StatusSeeOther)
+			} else {
+				http.Redirect(w, r, redirectUrl, http.StatusSeeOther)
+			}
+			// Fandom-end
 		}
 	}))
 

selfservice/flow/settings/handler_test.go

@@ -141,10 +141,24 @@ func TestHandler(t *testing.T) {
 		})
 
 		t.Run("description=init a flow as browser", func(t *testing.T) {
-			t.Run("description=without privileges", func(t *testing.T) {
-				res, body := initSPAFlow(t, new(http.Client))
-				assert.Equal(t, http.StatusUnauthorized, res.StatusCode, "%s", body)
-				assert.Equal(t, text.ErrNoActiveSession, gjson.GetBytes(body, "error.id").String(), "%s", body)
+			t.Run("case=unauthorized users are redirected to login", func(t *testing.T) {
+				c := testhelpers.NewClientWithCookies(t)
+				// prevent the redirect
+				c.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+					return http.ErrUseLastResponse
+				}
+				returnTo := "?return_to=validRedirect"
+				req, err := http.NewRequest("GET", publicTS.URL+settings.RouteInitBrowserFlow+returnTo, nil)
+				require.NoError(t, err)
+
+				res, err := c.Do(req)
+				require.NoError(t, err)
+				// here we check that the redirect status is 303
+				require.Equal(t, http.StatusSeeOther, res.StatusCode)
+				location, err := res.Location()
+				require.NoError(t, err)
+				require.Equal(t, publicTS.URL+login.RouteInitBrowserFlow+returnTo, location.String())
+				defer res.Body.Close()
 			})
 
 			t.Run("description=success", func(t *testing.T) {
@@ -179,6 +193,12 @@ func TestHandler(t *testing.T) {
 		})
 
 		t.Run("description=init a flow as SPA", func(t *testing.T) {
+			t.Run("description=without privileges", func(t *testing.T) {
+				res, body := initSPAFlow(t, new(http.Client))
+				assert.Equal(t, http.StatusUnauthorized, res.StatusCode, "%s", body)
+				assert.Equal(t, text.ErrNoActiveSession, gjson.GetBytes(body, "error.id").String(), "%s", body)
+			})
+
 			t.Run("description=success", func(t *testing.T) {
 				user1 := testhelpers.NewHTTPClientWithArbitrarySessionToken(t, reg)
 				res, body := initSPAFlow(t, user1)