From dce48d8aa7eea516c451b9ac114ec0efd664b783 Mon Sep 17 00:00:00 2001
From: Dan Ungureanu <dan@ungureanu.me>
Date: Wed, 31 Mar 2021 12:23:12 +0300
Subject: [PATCH] FIX: Redirect to provided origin after auth (#12558)

It used to redirect to the destination_url cookie which sometimes is set
incorrectly.
---
 app/controllers/users/omniauth_callbacks_controller.rb |  5 ++++-
 lib/middleware/omniauth_bypass_middleware.rb           |  3 +++
 spec/requests/omniauth_callbacks_controller_spec.rb    | 10 ++++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index b12852b273b..32b9bc3639c 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -40,7 +40,10 @@ class Users::OmniauthCallbacksController < ApplicationController
 
     preferred_origin = request.env['omniauth.origin']
 
-    if SiteSetting.enable_discourse_connect_provider && payload = cookies.delete(:sso_payload)
+    if session[:destination_url].present?
+      preferred_origin = session[:destination_url]
+      session.delete(:destination_url)
+    elsif SiteSetting.enable_discourse_connect_provider && payload = cookies.delete(:sso_payload)
       preferred_origin = session_sso_provider_url + "?" + payload
     elsif cookies[:destination_url].present?
       preferred_origin = cookies[:destination_url]
diff --git a/lib/middleware/omniauth_bypass_middleware.rb b/lib/middleware/omniauth_bypass_middleware.rb
index 4a3273071f5..c794b11aabb 100644
--- a/lib/middleware/omniauth_bypass_middleware.rb
+++ b/lib/middleware/omniauth_bypass_middleware.rb
@@ -34,6 +34,9 @@ class Middleware::OmniauthBypassMiddleware
 
       # If the user is trying to reconnect to an existing account, store in session
       request.session[:auth_reconnect] = !!request.params["reconnect"]
+
+      # If the client provided an origin, store in session to redirect back
+      request.session[:destination_url] = request.params["origin"]
     end
   end
 
diff --git a/spec/requests/omniauth_callbacks_controller_spec.rb b/spec/requests/omniauth_callbacks_controller_spec.rb
index 60245307178..33359a2c718 100644
--- a/spec/requests/omniauth_callbacks_controller_spec.rb
+++ b/spec/requests/omniauth_callbacks_controller_spec.rb
@@ -766,6 +766,16 @@ RSpec.describe Users::OmniauthCallbacksController do
         expect(UserAssociatedAccount.count).to eq(1) # Reconnect has not yet happened
       end
 
+      it 'stores and redirects to \'origin\' parameter' do
+        # Log in normally
+        post "/auth/google_oauth2?origin=http://test.localhost/atesturl"
+        expect(response.status).to eq(302)
+        expect(session[:destination_url]).to eq("http://test.localhost/atesturl")
+
+        get "/auth/google_oauth2/callback.json"
+        expect(response.status).to eq(302)
+        expect(response.redirect_url).to eq("http://test.localhost/atesturl")
+      end
     end
 
     context 'after changing email' do