Page MenuHomePhabricator
Create Task
Maniphest T135924

AuthManager PrimaryAuthenticationProvider that returns one redirect AuthenticationResponse breaks returnto mechanism
Closed, ResolvedPublic
Actions

Description

If you login with an AuthenticationProvider that needs to redirect you to another page (e.g. how GoogleLogin does), you aren't redirected to the page which is specified in the returnto url parameter. The return URL for the external authentication page is something like:

http://localhost/w/index.php?title=Special:UserLogin/return&wpLoginToken=1651a11de52abe82532b24c87debd7d25740e8cd%2B%5C&returnto=Special%3ARemoveCredentials&code=4%2F4wm1tRjTf13CARICv7EjusPxCHCDLSHsRjqEBFD4LBk#

where you see the returnto query. However, after processing the request through [[ https://github.com/wikimedia/mediawiki/blob/master/includes/specialpage/AuthManagerSpecialPage.php#L92-L134 | AuthManagerSpecialPage::handleReturnBeforeExecute ]] you'll get this as a redirect:

string(39) "http://localhost/wiki/Special:UserLogin"

The AuthManagerSpecialPage class strips any unnecessary query parameters with the [[ https://github.com/wikimedia/mediawiki/blob/master/includes/specialpage/AuthManagerSpecialPage.php#L490-L506 | AuthManagerSpecialPage::getPreservedParams() ]], but unfortunately, this function doesn't preserve the returnto and returntoquery parameters, which should be preserved to correctly handle the redirect after a successful login.

This is somehow bad, especially, if an user needs to re-authenticate for a sensitive-data-action (such as calling Special:RemoveCredentials), as they get redirected to the main page after successfully authentication with a Provider that needs a redirect.

Details

SubjectRepoBranchLines +/-
LoginSignupSpecialPage: Load return and returnto params as early as possiblemediawiki/coreREL1_27+34 -10
LoginSignupSpecialPage: Load return and returnto params as early as possiblemediawiki/coremaster+34 -10
Customize query in gerrit

Related Objects
Search...

Event Timeline

Florian created this task.May 21 2016, 11:17 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptMay 21 2016, 11:17 PM
Florian added a project: MediaWiki-Core-AuthManager.May 21 2016, 11:17 PM
gerritbot subscribed.May 21 2016, 11:21 PM

Change 290048 had a related patch set uploaded (by Florianschmidtwelzow):
AuthManagerSpecialPage: Preserve returnto and returntoquery params

https://gerrit.wikimedia.org/r/290048

gerritbot added a project: Patch-For-Review.May 21 2016, 11:21 PM
Florian added a subscriber: Tgr.May 23 2016, 3:54 PM
Tgr added a parent task: T110278: Improve interaction between AuthManager and the UI layer.May 24 2016, 8:43 PM
gerritbot added a comment.May 28 2016, 8:14 PM

Change 290048 merged by jenkins-bot:
LoginSignupSpecialPage: Load return and returnto params as early as possible

https://gerrit.wikimedia.org/r/290048

gerritbot added a comment.May 28 2016, 9:09 PM

Change 291566 had a related patch set uploaded (by Gergő Tisza):
LoginSignupSpecialPage: Load return and returnto params as early as possible

https://gerrit.wikimedia.org/r/291566

gerritbot added a comment.May 28 2016, 9:19 PM

Change 291566 merged by jenkins-bot:
LoginSignupSpecialPage: Load return and returnto params as early as possible

https://gerrit.wikimedia.org/r/291566

ReleaseTaggerBot added projects: MW-1.28-release (WMF-deploy-2016-06-07_(1.28.0-wmf.5)), MW-1.27-release-notes, MW-1.28-release-notes.Jun 1 2016, 1:00 AM
Anomie closed this task as Resolved.Jun 1 2016, 4:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits