fix: returnTo not used when checking where to redirect

Urbansson · Urbansson · commit 9928e7fa53df · 2022-07-14T12:31:29.000+02:00
diff --git a/selfservice/flow/login/hook.go b/selfservice/flow/login/hook.go
@@ -82,6 +82,7 @@ func (e *HookExecutor) PostLoginHook(w http.ResponseWriter, r *http.Request, a *
 	// Verify the redirect URL before we do any other processing.
 	c := e.d.Config(r.Context())
 	returnTo, err := x.SecureRedirectTo(r, c.SelfServiceBrowserDefaultReturnTo(),
+		x.SecureRedirectReturnTo(a.ReturnTo),
 		x.SecureRedirectUseSourceURL(a.RequestURL),
 		x.SecureRedirectAllowURLs(c.SelfServiceBrowserAllowedReturnToDomains()),
 		x.SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL()),
diff --git a/selfservice/flow/registration/hook.go b/selfservice/flow/registration/hook.go
@@ -128,6 +128,7 @@ func (e *HookExecutor) PostRegistrationHook(w http.ResponseWriter, r *http.Reque
 	// Verify the redirect URL before we do any other processing.
 	c := e.d.Config(r.Context())
 	returnTo, err := x.SecureRedirectTo(r, c.SelfServiceBrowserDefaultReturnTo(),
+		x.SecureRedirectReturnTo(a.ReturnTo),
 		x.SecureRedirectUseSourceURL(a.RequestURL),
 		x.SecureRedirectAllowURLs(c.SelfServiceBrowserAllowedReturnToDomains()),
 		x.SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL()),
diff --git a/x/http_secure_redirect.go b/x/http_secure_redirect.go
@@ -20,6 +20,7 @@ import (
 type secureRedirectOptions struct {
 	allowlist       []url.URL
 	defaultReturnTo *url.URL
+	returnTo        string
 	sourceURL       string
 }
 
@@ -40,6 +41,13 @@ func SecureRedirectUseSourceURL(source string) SecureRedirectOption {
 	}
 }
 
+// SecureRedirectReturnTo uses the provided URL to redirect the user to it.
+func SecureRedirectReturnTo(returnTo string) SecureRedirectOption {
+	return func(o *secureRedirectOptions) {
+		o.returnTo = returnTo
+	}
+}
+
 // SecureRedirectAllowSelfServiceURLs allows the caller to define `?return_to=` values
 // which contain the server's URL and `/self-service` path prefix. Useful for redirecting
 // to the login endpoint, for example.
@@ -85,9 +93,10 @@ func SecureRedirectTo(r *http.Request, defaultReturnTo *url.URL, opts ...SecureR
 		}
 	}
 
-	if len(source.Query().Get("return_to")) == 0 {
+	rawReturnTo := stringsx.Coalesce(o.returnTo, source.Query().Get("return_to"))
+	if rawReturnTo == "" {
 		return o.defaultReturnTo, nil
-	} else if returnTo, err = url.Parse(source.Query().Get("return_to")); err != nil {
+	} else if returnTo, err = url.Parse(rawReturnTo); err != nil {
 		return nil, herodot.ErrInternalServerError.WithWrap(err).WithReasonf("Unable to parse the return_to query parameter as an URL: %s", err)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ import (`
`20`	`20`	`type secureRedirectOptions struct {`
`21`	`21`	`allowlist []url.URL`
`22`	`22`	`defaultReturnTo *url.URL`
	`23`	`+ returnTo string`
`23`	`24`	`sourceURL string`
`24`	`25`	`}`
`25`	`26`
`@@ -40,6 +41,13 @@ func SecureRedirectUseSourceURL(source string) SecureRedirectOption {`
`40`	`41`	`}`
`41`	`42`	`}`
`42`	`43`
	`44`	`+// SecureRedirectReturnTo uses the provided URL to redirect the user to it.`
	`45`	`+func SecureRedirectReturnTo(returnTo string) SecureRedirectOption {`
	`46`	`+ return func(o *secureRedirectOptions) {`
	`47`	`+ o.returnTo = returnTo`
	`48`	`+ }`
	`49`	`+}`
	`50`	`+`
`43`	`51`	// SecureRedirectAllowSelfServiceURLs allows the caller to define `?return_to=` values
`44`	`52`	// which contain the server's URL and `/self-service` path prefix. Useful for redirecting
`45`	`53`	`// to the login endpoint, for example.`
`@@ -85,9 +93,10 @@ func SecureRedirectTo(r http.Request, defaultReturnTo url.URL, opts ...SecureR`
`85`	`93`	`}`
`86`	`94`	`}`
`87`	`95`
`88`		`- if len(source.Query().Get("return_to")) == 0 {`
	`96`	`+ rawReturnTo := stringsx.Coalesce(o.returnTo, source.Query().Get("return_to"))`
	`97`	`+ if rawReturnTo == "" {`
`89`	`98`	`return o.defaultReturnTo, nil`
`90`		`- } else if returnTo, err = url.Parse(source.Query().Get("return_to")); err != nil {`
	`99`	`+ } else if returnTo, err = url.Parse(rawReturnTo); err != nil {`
`91`	`100`	`return nil, herodot.ErrInternalServerError.WithWrap(err).WithReasonf("Unable to parse the return_to query parameter as an URL: %s", err)`
`92`	`101`	`}`
`93`	`102`