fix(OAuth): fix redirect to previous page instead of /

ytsaurus · Dec 17, 2024 · e19bd0c · e19bd0c
1 parent 565b205
commit e19bd0c
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 10 deletions.
diff --git a/packages/ui/src/@types/core.d.ts b/packages/ui/src/@types/core.d.ts
@@ -110,6 +110,10 @@ export interface YTCoreConfig {
          *  Label on the Login via OpenID button
          */
         buttonLabel?: string;
+        /**
+         * Represents the URL to which request will be redirected.
+         */
+        redirectUrl?: string;
     };
     /**
      * Modifies headers of /api/yt/login request:

diff --git a/packages/ui/src/server/components/oauth.ts b/packages/ui/src/server/components/oauth.ts
@@ -2,6 +2,12 @@ import axios from 'axios';
 import type {Request, Response} from 'express';
 import {YT_OAUTH_ACCESS_TOKEN_NAME, YT_OAUTH_REFRESH_TOKEN_NAME} from '../../shared/constants';
 
+function getRedirectURL(req: Request) {
+    const config = getOAuthSettings(req);
+
+    return config.redirectUrl ?? `https://${req.get('host')}`;
+}
+
 export function isOAuthAllowed(req: Request) {
     const config = req.ctx.config.ytOAuthSettings;
     return Boolean(
@@ -72,14 +78,21 @@ export function saveOAuthTokensInCookies(res: Response, tokens: OAuthAuthorizati
     }
 }
 
-export function getOAuthLoginPath(req: Request) {
+export function getOAuthLoginPath(req: Request, res: Response) {
+    const {origin, pathname, search} = new URL(req.get('referrer') ?? getRedirectURL(req));
+
+    const state = `state_${crypto.randomUUID()}`;
+
+    res.cookie(state, {retPath: pathname + search});
+
     const config = getOAuthSettings(req);
-    const host = req.get('host');
+
     const params = new URLSearchParams({
         response_type: 'code',
         client_id: config.clientId,
         scope: config.scope,
-        redirect_uri: `https://${host}/api/oauth/callback`,
+        redirect_uri: `${origin}/api/oauth/callback`,
+        state,
     });
 
     const url = new URL(config.authPath, config.baseURL);
@@ -95,9 +108,8 @@ export function getOAuthLogoutPath(req: Request) {
         return '/api/oauth/logout/callback';
     }
 
-    const host = req.get('host');
     const params = new URLSearchParams({
-        post_logout_redirect_uri: `https://${host}/api/oauth/logout/callback`,
+        post_logout_redirect_uri: `${getRedirectURL(req)}/api/oauth/logout/callback`,
         client_id: config.clientId,
     });
 
@@ -135,13 +147,13 @@ export async function exchangeOAuthToken(
     code: string,
 ): Promise<OAuthAuthorizationTokens> {
     const config = getOAuthSettings(req);
-    const host = req.get('host');
+
     const params = new URLSearchParams({
         grant_type: 'authorization_code',
         client_id: config.clientId,
         code: code as string,
         client_secret: config.clientSecret,
-        redirect_uri: `https://${host}/api/oauth/callback`,
+        redirect_uri: `${getRedirectURL(req)}/api/oauth/callback`,
     });
 
     const {data} = await axios.post(

diff --git a/packages/ui/src/server/controllers/oauth-login.ts b/packages/ui/src/server/controllers/oauth-login.ts
@@ -7,7 +7,7 @@ import {
 } from '../components/oauth';
 
 export function oauthLogin(req: Request, res: Response) {
-    res.redirect(getOAuthLoginPath(req));
+    res.redirect(getOAuthLoginPath(req, res));
 }
 
 export function oauthLogout(_: Request, res: Response) {
@@ -16,17 +16,23 @@ export function oauthLogout(_: Request, res: Response) {
 }
 
 export async function oauthCallback(req: Request, res: Response) {
-    const {code} = req.query;
+    const {code, state} = req.query;
     if (!code) {
         throw new Error('Authorization code is not specified');
     }
 
+    let redirectURL = '/';
+
+    if (state) {
+        redirectURL = req.cookies[state as string]?.retPath ?? '/';
+    }
+
     try {
         const tokens = await exchangeOAuthToken(req, code as string);
 
         saveOAuthTokensInCookies(res, tokens);
 
-        res.redirect('/');
+        res.redirect(redirectURL);
     } catch (e) {
         req.ctx.logError('exchange token error', e);
         const message = e instanceof Error ? e.message : 'Unknown error';