Adjust the redirect URI precedence in cookie auth

This commit is contained in:
Troy Dai 2016-08-10 09:42:24 -07:00
parent 1ef62a40b3
commit 97afe4acc8
2 changed files with 37 additions and 11 deletions

View File

@ -315,20 +315,23 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
if (shouldRedirectToReturnUrl && Response.StatusCode == 200) if (shouldRedirectToReturnUrl && Response.StatusCode == 200)
{ {
CookieRedirectContext redirectContext = null; CookieRedirectContext redirectContext = null;
var query = Request.Query; // set redirect uri in order:
var redirectUri = query[Options.ReturnUrlParameter]; // 1. properties.RedirectUri
if (!StringValues.IsNullOrEmpty(redirectUri) && IsHostRelative(redirectUri)) // 2. query parameter ReturnUrlParameter
var redirectUri = properties.RedirectUri;
if (string.IsNullOrEmpty(redirectUri) || !IsHostRelative(redirectUri))
{ {
redirectContext = new CookieRedirectContext(Context, Options, redirectUri, properties); redirectUri = Request.Query[Options.ReturnUrlParameter];
} if (string.IsNullOrEmpty(redirectUri) || !IsHostRelative(redirectUri))
else if (!string.IsNullOrEmpty(properties.RedirectUri) && IsHostRelative(properties.RedirectUri)) {
{ redirectUri = null;
redirectContext = new CookieRedirectContext(Context, Options, properties.RedirectUri, properties); }
} }
if (redirectContext != null) if (redirectUri != null)
{ {
redirectContext = new CookieRedirectContext(Context, Options, redirectUri, properties);
await Options.Events.RedirectToReturnUrl(redirectContext); await Options.Events.RedirectToReturnUrl(redirectContext);
} }
} }

View File

@ -1074,6 +1074,29 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
Assert.Equal("/redirect_test", transaction.Response.Headers.Location.ToString()); Assert.Equal("/redirect_test", transaction.Response.Headers.Location.ToString());
} }
[Fact]
public async Task RedirectUriInQueryIsHoneredAfterSignin()
{
var options = new CookieAuthenticationOptions
{
LoginPath = "/testpath",
ReturnUrlParameter = "return",
CookieName = "TestCookie"
};
var server = CreateServer(options, async context =>
{
await context.Authentication.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
new ClaimsPrincipal(new ClaimsIdentity(new GenericIdentity("Alice", CookieAuthenticationDefaults.AuthenticationScheme))));
});
var transaction = await SendAsync(server, "http://example.com/testpath?return=%2Fret_path_2");
Assert.NotEmpty(transaction.SetCookie);
Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode);
Assert.Equal("/ret_path_2", transaction.Response.Headers.Location.ToString());
}
[Fact] [Fact]
public async Task EnsurePrecedenceOfRedirectUriAfterSignin() public async Task EnsurePrecedenceOfRedirectUriAfterSignin()
{ {
@ -1095,7 +1118,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
Assert.NotEmpty(transaction.SetCookie); Assert.NotEmpty(transaction.SetCookie);
Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode); Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode);
Assert.Equal("/ret_path_2", transaction.Response.Headers.Location.ToString()); Assert.Equal("/redirect_test", transaction.Response.Headers.Location.ToString());
} }
[Fact] [Fact]