Save incoming returnToUrl from query string in session #19

dmitrizagidulin · 2018-05-05T22:13:19Z

No description provided.

…rkflow.

dmitrizagidulin · 2018-05-05T22:14:41Z

Addresses issue #17

dmitrizagidulin · 2018-05-05T22:15:29Z

Ready for review.

RubenVerborgh · 2018-05-06T01:50:27Z

Thanks so much, will look at this ASAP (but have some backlog after a week of Solid).

RubenVerborgh

Thanks! Tested and works, but a couple of minor concerns on the code itself.

RubenVerborgh · 2018-05-19T12:17:57Z

src/handlers/auth-callback-request.js

+  static extractReturnToUrl (session) {
+    const returnToUrl = session.returnToUrl
+
+    return returnToUrl ? decodeURIComponent(returnToUrl) : null


What if it's null?

If I understand your question correctly -- if this function returns null, then it'll be set to the default / in the AuthCallbackRequest constructor.

RubenVerborgh · 2018-05-19T12:18:44Z

test/unit/auth-callback-request.js

      let host = { serverUri: 'https://example.com' }
-      let session = { returnToUrl: 'https://example.com/resource' }
+      let returnToUrl = 'https://example.com/resource#hash'
+      let session = { returnToUrl: encodeURIComponent(returnToUrl) }


Why encoded?

I am assuming (based on what I saw the 401 error handler doing in solid-server) that the returnToUrl is being url-encoded before being stuffed in a query parameter. (So, I'm simulating that in this unit test). Is that not the right assumption?

Yeah, because it needs to be URL-encoded as an URL parameter. However, decoding is part of URL query string parsing, so it should be fine (and in any case, the session should have the unencoded value).

RubenVerborgh · 2018-05-19T12:18:57Z

test/unit/auth-callback-request.js

+
+    it('should return a url-decoded returnToUrl from session', () => {
+      let returnToUrl = 'https://example.com/resource#hash'
+      let session = { returnToUrl: encodeURIComponent(returnToUrl) }


Why encoded?

RubenVerborgh · 2018-05-19T12:19:24Z

src/handlers/select-provider-request.js

      webId,
      oidcManager,
      serverUri,
+      returnToUrl: query.returnToUrl,


This one should normally already be decoded.

Is it automatically decoded by Express?

Yes, query is the parsed query string, which includes decoding.

dmitrizagidulin · 2018-05-23T15:39:36Z

@RubenVerborgh - I removed the encoding & decoding of returnToUrl, per your suggestions.

Let me know if there's anything else.

RubenVerborgh · 2018-05-23T15:44:00Z

Thanks, retested and works!

Could you do a release after you merge?
However, I see npm complains about vulnerabilities in dependencies, would be good to fix those first. I'll do that and submit a PR.

dmitrizagidulin · 2018-05-23T15:50:28Z

@RubenVerborgh sure thing, re release.

(Are you talking about the base64url vulnerability? I'm in the process of fixing that upstream -- there's like half a dozen libraries that need to be changed.)

RubenVerborgh · 2018-05-23T15:51:38Z

No, lots of vulnerabilities in random npm packages. Mostly an update to package-lock.json. Pull request coming in a couple of minutes.

dmitrizagidulin · 2018-05-23T15:52:25Z

@RubenVerborgh ok cool! :) What should I do with this PR - merge it, or wait for yours?

RubenVerborgh · 2018-05-23T15:53:31Z

You can merge this one, just wait for mine to release please :-)

dmitrizagidulin · 2018-05-23T15:53:55Z

Thanks, got it.

RubenVerborgh · 2018-05-23T15:57:50Z

PR in #21

dmitrizagidulin added 2 commits May 5, 2018 17:55

Save returnToUrl query param in session, in SelectProviderRequest.

cbb4fe4

Extract and decode the returnToUrl from session when resuming user wo…

f99e532

…rkflow.

dmitrizagidulin changed the title ~~Fix passing delay option, add diagnostic debug statements~~ Save incoming returnToUrl from query string in session May 5, 2018

dmitrizagidulin assigned RubenVerborgh May 5, 2018

RubenVerborgh reviewed May 19, 2018

View reviewed changes

Remove encoding/decoding of returnToUrl.

fac4d19

dmitrizagidulin merged commit 8188da8 into master May 23, 2018

dmitrizagidulin deleted the dz-returnToUrl branch May 23, 2018 15:54

RubenVerborgh mentioned this pull request May 23, 2018

Respect incoming returnToUrl from query string #17

Closed

Save incoming returnToUrl from query string in session #19

Save incoming returnToUrl from query string in session #19

Uh oh!

Conversation

dmitrizagidulin commented May 5, 2018

Uh oh!

dmitrizagidulin commented May 5, 2018

Uh oh!

dmitrizagidulin commented May 5, 2018

Uh oh!

RubenVerborgh commented May 6, 2018

Uh oh!

RubenVerborgh left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

dmitrizagidulin commented May 23, 2018

Uh oh!

RubenVerborgh commented May 23, 2018

Uh oh!

dmitrizagidulin commented May 23, 2018

Uh oh!

RubenVerborgh commented May 23, 2018

Uh oh!

dmitrizagidulin commented May 23, 2018

Uh oh!

RubenVerborgh commented May 23, 2018

Uh oh!

dmitrizagidulin commented May 23, 2018

Uh oh!

RubenVerborgh commented May 23, 2018

Uh oh!

Uh oh!