[GH-1092] Redirect the user to correct URL after login

[TejasRGitHub]

Feature or Bugfix

• Feature

Detail

• Code which uses session storage to redirect user to the correct URL
• As the code only contains window path ( not the domain / entire link ) and also there are checks to see if the window path mostly comprises of / and alphanumeric it it robust from security stand point

Relates

• Redirect to correct URL instead of landing page #1092

Security

Please answer the questions below briefly where applicable, or write N/A. Based on
OWASP 10.

• Does this PR introduce or modify any input fields or queries - this includes
  fetching data from storage outside the application (e.g. a database, an S3 bucket)? No
  • Is the input sanitized?
  • What precautions are you taking before deserializing the data you consume?
  • Is injection prevented by parametrizing queries?
  • Have you ensured no eval or similar functions are used?
• Does this PR introduce any functionality or component that requires authorization? Yes
  • How have you ensured it respects the existing AuthN/AuthZ mechanisms? Yes
  • Are you logging failed auth attempts? N/A
• Are you using or adding any cryptographic features? No
  • Do you use a standard proven implementations?
  • Are the used keys controlled by the customer? Where are they stored?
• Are you introducing any new policies/roles/users? No
  • Have you used the least-privilege principle? How?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[TejasRGitHub]

Checking this explicitly so that we do not set the '/' which will happen in case a user logsout and then pastes the URL in the browser and again tries to logback with the new URL . As the user logged out the redirect URL is the base URL and then this gets stored in the window-location which should not be the case. We only want to store window location path pointing to specific path

[SofiaSazonova]

As a suggestion for enhancement, related to the window path.

There can be a situation:

1. UserB send a link to UserA to a data.all resource
2. UserA wants to login and be redirected to this resource, but they are not authorised to see it. So, they see an error(which can disappear quickly, it's unconvenient to copy the error text) and a blank page.

May be UserA should be redirected to another "Access denied" page?

[SofiaSazonova]

What's wrong with long URLs? Why 50? Maybe it's better to make it a param, not magic constant.

[TejasRGitHub]

Hi @SofiaSazonova , Thanks for the review. I added this number by heuristically checking the length of the windowpath for the longest URL. I think it was the URL to table in a dataset and it was approx 33 - 37 characters.

I can make it a param and store it in the contants.js . What are your thoughts ?

[SofiaSazonova]

I'd rather make it a setting, rather then a constant.
The maximum URL length is something the customer may want to define before the deployment, and it's more an attribute of solution rather then code constant.
But maybe @dlpzx can correct me here.

[TejasRGitHub]

Hi @SofiaSazonova , Thanks for re-reviewing it. In the length check we are actually checking the windowPath length . The window path length is excluding the URL domain. Thus, the window path length will contain all the resource paths to the data.all related items ( datasets, shares, tables, etc ) and won't contain anything else that might be customer specific. Unless a customer integrates a custom module ( not on data.all O.S. ) by themselves which have very large windowpath names I don't think we need to make it configurable. Please let me know if you want to still make it configurable.

@dlpzx , would also like to know your thoughts on this

[SofiaSazonova]

@TejasRGitHub in this case, constants is a good place for it.

[TejasRGitHub]

Hi @SofiaSazonova , Updated code to make it a constant . Please let me know if it looks good

[TejasRGitHub]

As a suggestion for enhancement, related to the window path.

There can be a situation:

1. UserB send a link to UserA to a data.all resource
2. UserA wants to login and be redirected to this resource, but they are not authorised to see it. So, they see an error(which can disappear quickly, it's unconvenient to copy the error text) and a blank page.

May be UserA should be redirected to another "Access denied" page?

Hi @SofiaSazonova , I like this enhancement and maybe could be added in the future releases

[SofiaSazonova]

Just the tiny thing left: max URL length as a constant/setting

[TejasRGitHub]

Addressed remaining review comments.

[SofiaSazonova]

@TejasRGitHub Thanks!