From 4475bc2b1ebd11dbb0f4dba9fb766da9a650e2e1 Mon Sep 17 00:00:00 2001 From: Arpit Mohan Date: Wed, 29 Jul 2020 16:07:40 +0530 Subject: [PATCH] Configuring dynamic redirect post login (#194) The client will have to send a query parameter redirectUrl or a header X-Redirect-Url in order for the server to redirect the client to the appropriate URL post login. If neither of these parameters are present, the client is redirected to /applications by default. Co-authored-by: Shrikant Sharat Kandula --- .../AuthenticationSuccessHandler.java | 2 +- ...verOAuth2AuthorizationRequestResolver.java | 8 ++--- .../server/helpers/RedirectHelper.java | 31 ++++++++++++++++++- 3 files changed, 35 insertions(+), 6 deletions(-) diff --git a/app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/AuthenticationSuccessHandler.java b/app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/AuthenticationSuccessHandler.java index 520f5594b9..28802cc071 100644 --- a/app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/AuthenticationSuccessHandler.java +++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/AuthenticationSuccessHandler.java @@ -85,7 +85,7 @@ public class AuthenticationSuccessHandler implements ServerAuthenticationSuccess // On authentication success, we send a redirect to the client's home page. This ensures that the session // is set in the cookie on the browser. - String redirectUrl = RedirectHelper.getRedirectUrl(exchange.getRequest().getHeaders()); + String redirectUrl = RedirectHelper.getRedirectUrl(exchange.getRequest()); URI defaultRedirectLocation = URI.create(redirectUrl); return this.redirectStrategy.sendRedirect(exchange, defaultRedirectLocation); diff --git a/app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/CustomServerOAuth2AuthorizationRequestResolver.java b/app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/CustomServerOAuth2AuthorizationRequestResolver.java index 0e2feb68c7..b31a30f95b 100644 --- a/app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/CustomServerOAuth2AuthorizationRequestResolver.java +++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/CustomServerOAuth2AuthorizationRequestResolver.java @@ -174,7 +174,7 @@ public class CustomServerOAuth2AuthorizationRequestResolver implements ServerOAu .clientId(clientRegistration.getClientId()) .authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri()) .redirectUri(redirectUriStr).scopes(clientRegistration.getScopes()) - .state(this.generateKey(exchange.getRequest().getHeaders())) + .state(this.generateKey(exchange.getRequest())) .attributes(attributes) .build(); } @@ -185,12 +185,12 @@ public class CustomServerOAuth2AuthorizationRequestResolver implements ServerOAu * based on the referer so as to transfer control back to it. If the referer is not available, we default to * redirecting to the server's index page. * - * @param httpHeaders + * @param request * @return */ - private String generateKey(HttpHeaders httpHeaders) { + private String generateKey(ServerHttpRequest request) { String stateKey = this.stateGenerator.generateKey(); - String redirectUrl = RedirectHelper.getRedirectUrl(httpHeaders); + String redirectUrl = RedirectHelper.getRedirectUrl(request); stateKey = stateKey + "," + Security.STATE_PARAMETER_ORIGIN + redirectUrl; return stateKey; } diff --git a/app/server/appsmith-server/src/main/java/com/appsmith/server/helpers/RedirectHelper.java b/app/server/appsmith-server/src/main/java/com/appsmith/server/helpers/RedirectHelper.java index d5b2c4e775..1d747713c8 100644 --- a/app/server/appsmith-server/src/main/java/com/appsmith/server/helpers/RedirectHelper.java +++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/helpers/RedirectHelper.java @@ -2,6 +2,8 @@ package com.appsmith.server.helpers; import com.appsmith.server.constants.Security; import org.springframework.http.HttpHeaders; +import org.springframework.http.server.reactive.ServerHttpRequest; +import org.springframework.util.MultiValueMap; import org.springframework.util.StringUtils; import java.net.URI; @@ -11,8 +13,34 @@ public class RedirectHelper { public static final String DEFAULT_REDIRECT_URL = "/applications"; private static final String REDIRECT_URL_HEADER = "X-Redirect-Url"; + private static final String REDIRECT_URL_QUERY_PARAM = "redirectUrl"; - public static String getRedirectUrl(HttpHeaders httpHeaders) { + /** + * This function determines the redirect url that the browser should redirect to post-login. The priority order + * in which these checks will be made are: + * 1. Query parameters + * 2. Headers + * + * @param request + * @return + */ + public static String getRedirectUrl(ServerHttpRequest request) { + + MultiValueMap queryParams = request.getQueryParams(); + HttpHeaders httpHeaders = request.getHeaders(); + + if (queryParams != null && queryParams.containsKey(REDIRECT_URL_QUERY_PARAM)) { + String redirectUrl = queryParams.getFirst(REDIRECT_URL_QUERY_PARAM); + if (!(redirectUrl.startsWith("http://") || redirectUrl.startsWith("https://")) && + !StringUtils.isEmpty(httpHeaders.getOrigin())) { + redirectUrl = httpHeaders.getOrigin() + (StringUtils.isEmpty(redirectUrl) ? DEFAULT_REDIRECT_URL : redirectUrl); + } + return redirectUrl; + } + return getRedirectUrlFromHeader(httpHeaders); + } + + private static String getRedirectUrlFromHeader(HttpHeaders httpHeaders) { // First check if the custom redirect header is set String redirectUrl = httpHeaders.getFirst(REDIRECT_URL_HEADER); @@ -46,4 +74,5 @@ public class RedirectHelper { } return redirectUrl; } + }