Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add-PodeAuth -SuccessUseOrigin doesn't redirect to requested site #1007

Closed
thekamilpro opened this issue Sep 1, 2022 · 11 comments · Fixed by #1359
Closed

Add-PodeAuth -SuccessUseOrigin doesn't redirect to requested site #1007

thekamilpro opened this issue Sep 1, 2022 · 11 comments · Fixed by #1359
Assignees
@Badgerati
Labels
bug 🐛
Milestone
2.11.0

Comments

@thekamilpro
Copy link

Describe the Bug

Experienced this particular issue while using Azure AD, single sign on, global authentication.

The bug affects only the very first login (where I guess there's no session, or it expired). When accessing a specific page, e.g. https://example.com/cat-facts after successful authentication redirects to https://example.com/ - so user would either need to manually open desired page, or click link second time.

Steps To Reproduce

  1. Use Add-PodeAuth -SuccessUseOrigin
  2. Go to https://example.com/cat-facts
  3. You're being redirected to https://example.com/

Expected Behaviour

Ideally, Pode would "remember" originating site, redirect to it after successful authentication.
Going to https://example.com/cat-facts would in fact redirect to https://example.com/cat-facts after initial successful authentication.

Platform

  • OS: [Windows]
  • Browser: [Egdgei]
  • Versions:
    • Pode: [Pode v2.7.1]
    • PodeWeb: [0.8.1]
    • PowerShell: [PS5.1]
@robertfshort
Copy link

I just ran into what I think is this bug today. When I'm using azureAD for auth with -successuseorigin it redirects back to http://localhost:8081/oauth2/callback?code=

Also on pode 2.7.1 and windows powershell 5.1

@Badgerati Badgerati moved this to Backlog in 🚀 Pode Roadmap Oct 25, 2022
@Badgerati Badgerati added this to the 2.8.0 milestone Nov 15, 2022
@Badgerati
Copy link
Owner

Hey @thekamilpro, @robertfshort,

I think I might have just fixed this one as a part of #1036 - as redirecting now seems to work OK for me.

Would either of you be in a position to test what's currently in the develop branch, and see if redirecting now works for yourselves?

If you can't get develop to build locally, I believe changing the line locally at

Pode/src/Private/Authentication.ps1

Line 1345 in 8aa7c2b

if ($Success.UseOrigin -and ($WebEvent.Method -ieq 'get')) {
to be just if ($Success.UseOrigin) { should work 🤔

Thanks! 😄

@robpitcher
Copy link

I'm having the same issue as @thekamilpro while trying to use the -SuccessUseOrigin switch with Add-PodeAuth. I also tried modifying line 1345 of Pode/src/Private/Authentication.ps1:

if ($Success.UseOrigin -and ($WebEvent.Method -ieq 'get')) {
to be just if ($Success.UseOrigin) {

However, the issue persisted.

Platform

  • Pode Host: [Ubuntu 22.04]
  • Powershell: [7.3.0]
  • Pode Module: [2.7.2]
  • Client Browser: [Edge v109.0.1518.55]

Badgerati added a commit that referenced this issue Jan 21, 2023
@Badgerati
#1007: set originating redirect url cookie when oauth redirects
e2d93e9
@Badgerati
Copy link
Owner

Hey @thekamilpro, @robpitcher,

I might have found the issue: the redirecturl cookie wasn't being set when the redirect for oauth occurred.

Along with the change stated in my previous comment, you'll also need to add the following lines:

if ($auth.Success.UseOrigin -and ($WebEvent.Method -ieq 'get')) {
    $null = Set-PodeCookie -Name 'pode.redirecturl' -Value $WebEvent.Request.Url.PathAndQuery
}

to just before this line (still within the if ($result.IsRedirected)):

Pode/src/Private/Authentication.ps1

Line 1182 in 8aa7c2b

return $false

I was able to reproduce the issue, and with the above lines the redirecting to the originating page now works for me.

If you're able to test this, let me know what happens 😄

@robpitcher
Copy link

So I'm now seeing the pode.redirecturl cookie is being set, but it still doesn't redirect as expected. I tested a workaround by adding some logic to the scriptblock of route /oauth2/callback to handle the redirect and this worked:

Add-PodeRoute -Method Get -Path '/oauth2/callback' -Authentication Login -ScriptBlock {
        $originPage = Get-PodeCookie -Name 'pode.redirecturl'
        Move-PodeResponseUrl -Url $originPage.value
    }

@Badgerati
Copy link
Owner

Hi @robpitcher,

That's interesting, because that's the same logic Pode uses to do the redirecting directly within authentication 🤔

Are you able to show more of your script - mostly the lines where you add the auth/scheme?

@Badgerati Badgerati modified the milestones: 2.8.0, 2.8.1 Jan 27, 2023
@robpitcher
Copy link

@Badgerati yes, here's the full auth/scheme setup:

    Enable-PodeSessionMiddleware -Duration 120 -Extend
    $scheme = New-PodeAuthAzureADScheme -ClientID 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' -ClientSecret 'xxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxx' -Tenant 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' -RedirectUrl https://api.mydomain.com/oauth2/callback
    $scheme | Add-PodeAuth -Name 'Login' -SuccessUseOrigin -ScriptBlock {
        param($user, $accessToken, $refreshToken, $response)
        # check if the user is valid
        return @{ User = $user }
    }

@Badgerati
Copy link
Owner

@robpitcher,

I might have found something, what happens if you set -SuccessUrl '/' (or any random path in theory, since we're redirecting to the origin) on your Add-PodeAuth?

@robpitcher
Copy link

what happens if you set -SuccessUrl '/' (or any random path in theory, since we're redirecting to the origin) on your Add-PodeAuth?

So I tested this and the result was that I was redirected to the SuccessUrl regardless of origin. Tested this on Pode v2.8.0.

@Badgerati Badgerati removed this from the 2.8.1 milestone Jul 7, 2023
@robertfshort
Copy link

Looks like this issue still exists in 2.10.1

I tried setting up a custom callback as @robpitcher suggested, but get a 500 error. Did the change to set the redirection cookie ever make it into the base version of PODE or do I need to go make the changes @Badgerati noted above? Alternatively is there something I can add to my code to set that cookie rather than having to modify the base PODE files?


start-podeserver {
    add-podeendpoint -address * -hostname localhost -port 8081 -protocol http
    enable-podesessionmiddleware -duration 1200 -extend 

    $scheme = New-PodeAuthAzureADScheme @azureauth -RedirectUrl '/callback'

    $scheme | Add-PodeAuth -Name 'Login' -FailureUrl '/loginfailure' -Successuseorigin -ScriptBlock {
        param($user, $accessToken, $refreshToken, $response)
        $id_token=convertfrom-podejwt -token $response.id_token -IgnoreSignature
        $user|add-member -NotePropertyName 'roles' -NotePropertyValue $id_token
        return @{User = $user}
    }

    Add-PodeRoute -Method Get -Path '/' -ScriptBlock {
        $html=@"
        Page Name: $($webevent.path)<br>
Session data: Username:  $($webevent.session.data.auth.user.name) Email: $($webevent.session.data.auth.user.email)<br>
<br>
    <a href="/">index page</a><br>
    <a href="/locked">auth-required page</a><br>
    <a href="/login">login page</a><br>
    <a href="/docs">API Documentation Page</a><br>
    <br>
"@
        $webevent|out-default
        write-podehtmlresponse -value $html
    }

    Add-PodeRoute -Method Get -Path '/locked' -Authentication Login -scriptblock{
        $html=@"
        Page Name: $($webevent.path)<br>
Session data: Username:  $($webevent.session.data.auth.user.name) Email: $($webevent.session.data.auth.user.email)<br>
<br>
    <a href="/">index page</a><br>
    <a href="/locked">auth-required page</a><br>
    <a href="/login">login page</a><br>
    <a href="/docs">API Documentation Page</a><br>
    <br>
"@
        $webevent|out-default
        write-podehtmlresponse -value $html
    }
    Add-PodeRoute -Method Get -Path '/loginfailure' -Authentication Login -scriptblock{
        $html=@"
        Page Name: $($webevent.path)<br>
Session data: Username:  $($webevent.session.data.auth.user.name) Email: $($webevent.session.data.auth.user.email)<br>
<br>
    <a href="/">index page</a><br>
    <a href="/locked">auth-required page</a><br>
    <a href="/login">login page</a><br>
    <a href="/docs">API Documentation Page</a><br>
    <br>
"@
        $webevent|out-default
        write-podehtmlresponse -value $html
    }
    # login - this will just redirect to azure
    Add-PodeRoute -Method Get -Path '/login' -Authentication Login

    # logout
    Add-PodeRoute -Method post -Path '/logout' -Authentication Login -Logout -scriptblock{
        move-poderesponseurl -url '/'
    }

    Add-PodeRoute -Method Get -Path '/callback' -Authentication Login -ScriptBlock {
        Get-PodeCookie -Name 'pode.redirecturl'|out-default
        $originPage = Get-PodeCookie -Name 'pode.redirecturl'
        Move-PodeResponseUrl -Url $originPage.value
    }

    Enable-podeopenapi -path '/docs/openapi' -DisableMinimalDefinitions #-EnableSchemaValidation
    add-podeOAInfo -title 'API Docs' -Version 1.0.0 -description "Documentation"
    #write-podehost "Enabling openapi viewers"
    enable-podeopenapiviewer -type swagger -path '/docs/swagger'
    enable-podeopenapiviewer -type redoc -path '/docs/redoc'
    enable-podeopenapiviewer -bookmarks -path '/docs'
}

@Badgerati
Copy link
Owner

Hi @robertfshort,

The redirect code above wasn't added in, I actually thought I had!

The authentication logic has changed quite a bit since the line changes referenced above were suggested, so I'll need to go back and see if anything needs re-implementing.

@Badgerati Badgerati self-assigned this Jul 13, 2024
Badgerati added a commit that referenced this issue Jul 13, 2024
@Badgerati
#1007: adds logic to set redirecturl cookie for oauth2 flows
73bb5d8
@Badgerati Badgerati added this to the 2.11.0 milestone Jul 13, 2024
@Badgerati Badgerati mentioned this issue Jul 13, 2024
Merged
Badgerati added a commit that referenced this issue Jul 14, 2024
@Badgerati
#1007: security function fixes whie testing oauth2 redirecting in pod…
d07036f 
…e.web
@github-project-automation github-project-automation bot moved this from Backlog to Done in 🚀 Pode Roadmap Jul 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Badgerati Badgerati

Labels
bug 🐛
Projects
🚀 Pode Roadmap
Status: Done
Milestone
2.11.0
Development

Successfully merging a pull request may close this issue.

Fixes the login redirect URL logic for OAuth2 flows when using -SuccessUseOrigin Badgerati/Pode
4 participants
@Badgerati @robertfshort @robpitcher @thekamilpro