Page MenuHomePhabricator

AuthManager PrimaryAuthenticationProvider that returns one redirect AuthenticationResponse breaks returnto mechanism
Closed, ResolvedPublic

Description

If you login with an AuthenticationProvider that needs to redirect you to another page (e.g. how GoogleLogin does), you aren't redirected to the page which is specified in the returnto url parameter. The return URL for the external authentication page is something like:

http://localhost/w/index.php?title=Special:UserLogin/return&wpLoginToken=1651a11de52abe82532b24c87debd7d25740e8cd%2B%5C&returnto=Special%3ARemoveCredentials&code=4%2F4wm1tRjTf13CARICv7EjusPxCHCDLSHsRjqEBFD4LBk#

where you see the returnto query. However, after processing the request through AuthManagerSpecialPage::handleReturnBeforeExecute you'll get this as a redirect:

string(39) "http://localhost/wiki/Special:UserLogin"

The AuthManagerSpecialPage class strips any unnecessary query parameters with the AuthManagerSpecialPage::getPreservedParams(), but unfortunately, this function doesn't preserve the returnto and returntoquery parameters, which should be preserved to correctly handle the redirect after a successful login.

This is somehow bad, especially, if an user needs to re-authenticate for a sensitive-data-action (such as calling Special:RemoveCredentials), as they get redirected to the main page after successfully authentication with a Provider that needs a redirect.

Event Timeline

Florian created this task.May 21 2016, 11:17 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptMay 21 2016, 11:17 PM

Change 290048 had a related patch set uploaded (by Florianschmidtwelzow):
AuthManagerSpecialPage: Preserve returnto and returntoquery params

https://gerrit.wikimedia.org/r/290048

Florian added a subscriber: Tgr.May 23 2016, 3:54 PM

Change 290048 merged by jenkins-bot:
LoginSignupSpecialPage: Load return and returnto params as early as possible

https://gerrit.wikimedia.org/r/290048

Change 291566 had a related patch set uploaded (by Gergő Tisza):
LoginSignupSpecialPage: Load return and returnto params as early as possible

https://gerrit.wikimedia.org/r/291566

Change 291566 merged by jenkins-bot:
LoginSignupSpecialPage: Load return and returnto params as early as possible

https://gerrit.wikimedia.org/r/291566

Anomie closed this task as Resolved.Jun 1 2016, 4:16 PM