AuthenticationService::getUnauthenticatedRedirectUrl( Returns Relative URLs Without Ffull Base

[ravage84]

Description

Why does Authentication\AuthenticationService::getUnauthenticatedRedirectUrl() returns URLs without full base?

authentication/src/AuthenticationService.php

Line 398 in 6b6a2ef

return $url['path'] . '?' . $url['query'] . $fragment;

This makes asserting redirects because of unauthenticated access a PITA.

$this->assertRedirect('/login?redirect=' . urlencode($redirect));

Leads to the following test error because of this:

Failed asserting that 'http://localhost/coupon-portal/login?redirect=%2Fcampaigns%2Fposition' equals content in header 'Location' (/coupon-portal/login?redirect=%2Fcampaigns%2Fposition).

Because Cake\TestSuite\IntegrationTestTrait::assertRedirect() always tests against full based URLs:

https://github.com/cakephp/cakephp/blame/33626a03197758f30a8ce8c2e0a75ed8ddbce40a/src/TestSuite/IntegrationTestTrait.php#L929

Wouldn't full based URL redirects be more sensible (& secure) to begin with?

CakePHP Version

4.x & (probably) 5.x

PHP Version

irrelevant

[dereuromark]

I would argue that full based URLs are usually less secure, because they could redirect you away somewhere else.
So keeping it local prevents this kind of attack from the start.
Also, there can be cookie issues across even subdomains, so keeping it local by default also prevents issues here, or forever redirects or alike on misconfig.

[ADmad]

Why does Authentication\AuthenticationService::getUnauthenticatedRedirectUrl() returns URLs without full base?

Because that's what's consistently done throughout the framework unless you specifically ask for a URL with full base through a method/option.

Because Cake\TestSuite\IntegrationTestTrait::assertRedirect() always tests against full based URLs:

Then the test method should be adjusted / have a config to assert URLs without the full base.