From ef7e6d85a6ddaa606a6a317d6bd311aaf2ca7583 Mon Sep 17 00:00:00 2001
From: David Patrick <david.patrick@auth0.com>
Date: Sun, 3 May 2020 15:48:42 -0700
Subject: [PATCH 1/2] Fix returnTo on Login

When no returnTo is passed into the login call, it should redirect to the URL that it was called from on GET Requests.

This is in line with documentation at https://github.com/auth0/express-openid-connect/blob/master/API.md#response
---
 lib/context.js | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/context.js b/lib/context.js
index 873806d6..19b978a6 100644
--- a/lib/context.js
+++ b/lib/context.js
@@ -55,10 +55,17 @@ class ResponseContext {
     const config = this._config;
     const client = req.openid.client;
 
-    // Set default returnTo value, allow passed-in options to override.
+    // Set default returnTo value, allow passed-in options to override or use originalUrl on GET
+    let returnTo = this._config.baseURL;
+    if (options.returnTo) {
+      returnTo = options.returnTo;
+    } else if (req.method === 'GET' && req.originalUrl) {
+      returnTo = req.originalUrl;
+    }
+
     options = {
-      returnTo: this._config.baseURL,
       authorizationParams: {},
+      returnTo,
       ...options
     };
 

From 67daff1784afbc692e3d8c1a5d7ee6cca8986326 Mon Sep 17 00:00:00 2001
From: adamjmcgrath <adam.mcgrath@auth0.com>
Date: Mon, 4 May 2020 08:28:48 +0100
Subject: [PATCH 2/2] Add a test

---
 test/requiresAuth.tests.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/test/requiresAuth.tests.js b/test/requiresAuth.tests.js
index aa77c4a2..0fbe2518 100644
--- a/test/requiresAuth.tests.js
+++ b/test/requiresAuth.tests.js
@@ -30,6 +30,12 @@ describe('requiresAuth middleware', function() {
     it('should contain a location header to the issuer', function() {
       assert.include(response.headers.location, 'https://test.auth0.com');
     });
+    it('should contain a location header with state containing return url', function() {
+      const state = (new URL(response.headers.location)).searchParams.get('state');
+      const decoded = Buffer.from(state, 'base64');
+      const parsed = JSON.parse(decoded);
+      assert.equal(parsed.returnTo, '/protected');
+    });
   });
 
   describe('when removing the auth middleware', function() {