From patchwork Wed Jul 29 15:25:44 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Fr=C3=A9d=C3=A9ric_Mangano-Tarumi?=
 <fmang@mg0.fr>
X-Patchwork-Id: 1737
Return-Path: <aur-dev-bounces@archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
	by apollo.archlinux.org (Postfix) with ESMTP id 039D71A386DBD
	for <patchwork@archlinux.org>; Wed, 29 Jul 2020 15:26:09 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 apollo.archlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,MAILING_LIST_MULTI=-1,
	RCVD_IN_DNSWL_MED=-2.3,RCVD_IN_MSPIKE_H4=-0.01,RCVD_IN_MSPIKE_WL=-0.01,
	SPF_HELO_NONE=0.001,T_DMARC_POLICY_NONE=0.01 autolearn=ham
	autolearn_force=no version=3.4.4
X-Spam-BL-Results: <dns:70.91.198.88.list.dnswl.org> [127.0.9.2]
	<dns:70.91.198.88.wl.mailspike.net> [127.0.0.19]
Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70])
	by apollo.archlinux.org (Postfix) with ESMTPS
	for <patchwork@archlinux.org>; Wed, 29 Jul 2020 15:26:08 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
	by orion.archlinux.org (Postfix) with ESMTP id E3EA71D363910A;
	Wed, 29 Jul 2020 15:26:04 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org
 [IPv6:2a01:4f8:160:3033::2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	(Authenticated sender: luna)
	by orion.archlinux.org (Postfix) with ESMTPSA id 3F3981D3639104;
	Wed, 29 Jul 2020 15:26:04 +0000 (UTC)
Authentication-Results: orion.archlinux.org;
	dkim=pass (1024-bit key) header.d=mg0.fr header.i=@mg0.fr header.b=NtIYueN6
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id 1D06329CAC;
	Wed, 29 Jul 2020 15:26:04 +0000 (UTC)
Authentication-Results: luna.archlinux.org;
	dkim=pass (1024-bit key) header.d=mg0.fr header.i=@mg0.fr header.b=NtIYueN6
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id E0EFC29CAB
 for <aur-dev@lists.archlinux.org>; Wed, 29 Jul 2020 15:26:00 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@lists.archlinux.org>; Wed, 29 Jul 2020 15:26:00 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
 by orion.archlinux.org (Postfix) with ESMTP id 1C0BB1D36390FE
 for <aur-dev@archlinux.org>; Wed, 29 Jul 2020 15:25:59 +0000 (UTC)
Received: from tsubame.mg0.fr (tsubame.mg0.fr [IPv6:2001:41d0:401:3100::402b])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by orion.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@archlinux.org>; Wed, 29 Jul 2020 15:25:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mg0.fr;
 s=tsubame; h=Message-ID:Subject:To:From:Date:cc;
 bh=3DZ1b36MNmTzZrRrUts6UJ7lau0xI0Q7auuw3LEsfUA=; b=NtIYueN6M87WtGSL7RoN6AmB2H
 +qjFONeWFWktnL/BvGqqZUbzk2F8SHij3lKjcv4YDTTG2Q9pGv4DoKA2vbPexAN92PSScwkapzMxs
 kGnLl+oMwEZGqhP/D3LAugwb3r4AdlbFijMLR196mBMkdqDxQuDqxCdg1qLpJKHM+tFI=;
Received: from fmang by tsubame.mg0.fr with local (Exim 4.94)
 (envelope-from <fmang@mg0.fr>) id 1k0nxg-002lrg-Vm
 for aur-dev@archlinux.org; Wed, 29 Jul 2020 17:25:44 +0200
Date: Wed, 29 Jul 2020 17:25:44 +0200
From: =?utf-8?b?RnLDqWTDqXJpYw==?= Mangano-Tarumi <fmang@mg0.fr>
To: aur-dev@archlinux.org
Subject: [PATCH] Redirect to referer after SSO login
Message-ID: <20200729152544.GA660646@tsubame.mg0.fr>
MIME-Version: 1.0
Content-Disposition: inline
X-BeenThere: aur-dev@archlinux.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Arch User Repository \(AUR\) Development" <aur-dev.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/aur-dev/>
List-Post: <mailto:aur-dev@archlinux.org>
List-Help: <mailto:aur-dev-request@archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=subscribe>
Errors-To: aur-dev-bounces@archlinux.org
Sender: "aur-dev" <aur-dev-bounces@archlinux.org>

Introduce a `redirect` query argument to SSO login endpoints so that
users are redirected to the page they were originally on when they
clicked the Login link.
---
 aurweb/routers/sso.py | 23 +++++++++++++++++------
 web/html/login.php    | 18 ++++++++++++------
 2 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/aurweb/routers/sso.py b/aurweb/routers/sso.py
index 2e4fbacc..4ef31b0a 100644
--- a/aurweb/routers/sso.py
+++ b/aurweb/routers/sso.py
@@ -30,16 +30,21 @@ oauth.register(
 
 
 @router.get("/sso/login")
-async def login(request: Request):
+async def login(request: Request, redirect: str = None):
     """
     Redirect the user to the SSO provider’s login page.
 
     We specify prompt=login to force the user to input their credentials even
     if they’re already logged on the SSO. This is less practical, but given AUR
     has the potential to impact many users, better safe than sorry.
+
+    The `redirect` argument is a query parameter specifying the post-login
+    redirect URL.
     """
-    redirect_uri = aurweb.config.get("options", "aur_location") + "/sso/authenticate"
-    return await oauth.sso.authorize_redirect(request, redirect_uri, prompt="login")
+    authenticate_url = aurweb.config.get("options", "aur_location") + "/sso/authenticate"
+    if redirect:
+        authenticate_url = authenticate_url + "?" + urlencode([("redirect", redirect)])
+    return await oauth.sso.authorize_redirect(request, authenticate_url, prompt="login")
 
 
 def is_account_suspended(conn, user_id):
@@ -82,8 +87,15 @@ def is_ip_banned(conn, ip):
     return result.fetchone() is not None
 
 
+def is_aur_url(url):
+    aur_location = aurweb.config.get("options", "aur_location")
+    if not aur_location.endswith("/"):
+        aur_location = aur_location + "/"
+    return url.startswith(aur_location)
+
+
 @router.get("/sso/authenticate")
-async def authenticate(request: Request, conn=Depends(aurweb.db.connect)):
+async def authenticate(request: Request, redirect: str = None, conn=Depends(aurweb.db.connect)):
     """
     Receive an OpenID Connect ID token, validate it, then process it to create
     an new AUR session.
@@ -118,8 +130,7 @@ async def authenticate(request: Request, conn=Depends(aurweb.db.connect)):
         return "Sorry, we don’t seem to know you Sir " + sub
     elif len(aur_accounts) == 1:
         sid = open_session(request, conn, aur_accounts[0][Users.c.ID])
-        response = RedirectResponse("/")
-        # TODO redirect to the referrer
+        response = RedirectResponse(redirect if redirect and is_aur_url(redirect) else "/")
         response.set_cookie(key="AURSID", value=sid, httponly=True,
                             secure=request.url.scheme == "https")
         if "id_token" in token:
diff --git a/web/html/login.php b/web/html/login.php
index 3a146f60..3f3d66cc 100644
--- a/web/html/login.php
+++ b/web/html/login.php
@@ -9,6 +9,10 @@ if (!$disable_http_login || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])) {
 	$login_error = $login['error'];
 }
 
+$referer = in_request('referer');
+if ($referer === '')
+	$referer = $_SERVER['HTTP_REFERER'];
+
 html_header('AUR ' . __("Login"));
 ?>
 <div id="dev-login" class="box">
@@ -40,13 +44,15 @@ html_header('AUR ' . __("Login"));
 			<p>
 				<input type="submit" class="button" value="<?php  print __("Login"); ?>" />
 				<a href="<?= get_uri('/passreset/') ?>">[<?= __('Forgot Password') ?>]</a>
-				<?php if (config_get('sso', 'openid_configuration')): ?>
-				<a href="<?= get_uri('/sso/login') ?>">[<?= __('Login through SSO') ?>]</a>
+				<?php if (config_get('sso', 'openid_configuration')):
+					$sso_login_url = get_uri('/sso/login');
+					if (isset($referer))
+						$sso_login_url .= '?redirect=' . urlencode($referer);
+				?>
+				<a href="<?= htmlspecialchars($sso_login_url, ENT_QUOTES) ?>">[<?= __('Login through SSO') ?>]</a>
 				<?php endif; ?>
-				<?php if (in_request('referer') !== ""): ?>
-				<input id="id_referer" type="hidden" name="referer" value="<?= htmlspecialchars(in_request('referer'), ENT_QUOTES) ?>" />
-				<?php elseif (isset($_SERVER['HTTP_REFERER'])): ?>
-				<input id="id_referer" type="hidden" name="referer" value="<?= htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES) ?>" />
+				<?php if (isset($referer)): ?>
+				<input id="id_referer" type="hidden" name="referer" value="<?= htmlspecialchars($referer, ENT_QUOTES) ?>" />
 				<?php endif; ?>
 			</p>
 		</fieldset>