From 64d9be726f27672ad15af124e03bdd472366b327 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Fri, 9 Nov 2018 17:17:43 +1100
Subject: [PATCH] the protection I placed was in the wrong path moved to
 /session/sso

correct previous commit
---
 app/controllers/session_controller.rb    | 2 +-
 spec/requests/session_controller_spec.rb | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb
index fbd9859e6af..fa8eecac5ac 100644
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@@ -173,7 +173,7 @@ class SessionController < ApplicationController
         end
 
         # never redirects back to sso in an sso loop
-        if return_path.start_with?(path("/sso"))
+        if return_path.start_with?(path("/session/sso"))
           return_path = path("/")
         end
 
diff --git a/spec/requests/session_controller_spec.rb b/spec/requests/session_controller_spec.rb
index 7264196a618..be90c421c26 100644
--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@@ -303,8 +303,8 @@ RSpec.describe SessionController do
 
     end
 
-    it 'will never redirect back to /sso path' do
-      sso = get_sso("/sso?bla=1")
+    it 'will never redirect back to /session/sso path' do
+      sso = get_sso("/session/sso?bla=1")
       sso.email = user.email
       sso.external_id = 'abc'
       sso.username = 'sam'
@@ -312,7 +312,7 @@ RSpec.describe SessionController do
       get "/session/sso_login", params: Rack::Utils.parse_query(sso.payload), headers: headers
       expect(response).to redirect_to('/')
 
-      sso = get_sso("http://#{Discourse.current_hostname}/sso?bla=1")
+      sso = get_sso("http://#{Discourse.current_hostname}/session/sso?bla=1")
       sso.email = user.email
       sso.external_id = 'abc'
       sso.username = 'sam'