Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

the "originalUrl" is not used as the default "returnTo" url, the baseUrl is #479

Closed
6 tasks done
jordanst3wart opened this issue Jul 20, 2023 · 2 comments
Closed
6 tasks done

the "originalUrl" is not used as the default "returnTo" url, the baseUrl is #479

jordanst3wart opened this issue Jul 20, 2023 · 2 comments
Labels
question Further information is requested

Comments

@jordanst3wart
Copy link

Checklist

Description

The baseUrl is used as the returnTo value as a default, when it should be the "originalUrl" the request came from.

The error is here. It should use returnTo if defined or originalUrl:

express-openid-connect/middleware/auth.js

Line 42 in 1d33b74

res.oidc.login({ returnTo: config.baseURL })

This is a regression of this fix:
#95

I believe the originalUrl is the "referrer" header in the Get login request.

Reproduction

Try logging into an application. The state should include a returnTo value of the baseUrl, and not the original url the request was from.

Additional context

No response

express-openid-connect version

any v2 version

Express version

any

Node.js version

any
@jordanst3wart jordanst3wart added the bug Something isn't working label Jul 20, 2023
@adamjmcgrath
Copy link
Contributor

Hi @jordanst3wart - thanks for raising this

This behaviour is as designed, we don't use the referrer header in the returnTo by default because the referrer header can be a third party (eg if google linked to your login page, you would return to google after login) - if you want this behaviour you can override the default login route behaviour, see https://github.com/auth0/express-openid-connect/blob/master/EXAMPLES.md#3-route-customization

The baseUrl is used as the returnTo value as a default, when it should be the "originalUrl" the request came from.
The error is here. It should use returnTo if defined or originalUrl:

originalUrl in this instance is the /login route - so if you returned to that page after login you would be stuck in an infinite loop

This is a regression of this fix: #95

There is no regression, this behaviour works as designed. When you protect a route with requiresAuth - you will be returned to that route after login (this is the behaviour that was fixed in #95) see https://github.com/auth0/express-openid-connect/blob/master/EXAMPLES.md#2-require-authentication-for-specific-routes

@adamjmcgrath adamjmcgrath added question Further information is requested and removed bug Something isn't working labels Jul 20, 2023
@jordanst3wart
Copy link
Author

Yeah, the number 2. sample works as expected.

Thanks for your time! Closing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adamjmcgrath @jordanst3wart