FIX: never redirect back to /sso it will cause a loop

If for any reason our return url is set to `/sso` bypass using it for login redirect
2025-05-23 23:31:18 +08:00 · 2018-11-09 14:27:36 +11:00
parent 515e103db6
commit e6b3310577
2 changed files with 15 additions and 0 deletions
--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@ -303,6 +303,16 @@ RSpec.describe SessionController do

    end

+    it 'will never redirect back to /sso path' do
+      sso = get_sso("/sso?bla=1")
+      sso.email = user.email
+      sso.external_id = 'abc'
+      sso.username = 'sam'
+
+      get "/session/sso_login", params: Rack::Utils.parse_query(sso.payload), headers: headers
+      expect(response).to redirect_to('/')
+    end
+
    it 'can take over an account' do
      sso = get_sso("/")
      user = Fabricate(:user)