feat: Add _securedUrl to flash scope on overrides

Author: elpete

.travis.yml

@@ -1,31 +1,31 @@
 language: java
 sudo: required
 jdk:
-  - openjdk8
+    - openjdk8
 env:
-  matrix:
-    - ENGINE=lucee@5 COLDBOX_VERSION=stable
-    - ENGINE=adobe@2018 COLDBOX_VERSION=stable
-    - ENGINE=adobe@2016 COLDBOX_VERSION=stable
-    - ENGINE=lucee@5 COLDBOX_VERSION=be
-    - ENGINE=adobe@2018 COLDBOX_VERSION=be
-    - ENGINE=adobe@2016 COLDBOX_VERSION=be
+    matrix:
+        - ENGINE=lucee@5 COLDBOX_VERSION=stable
+        - ENGINE=adobe@2018 COLDBOX_VERSION=stable
+        - ENGINE=adobe@2016 COLDBOX_VERSION=stable
+        - ENGINE=lucee@5 COLDBOX_VERSION=be
+        - ENGINE=adobe@2018 COLDBOX_VERSION=be
+        - ENGINE=adobe@2016 COLDBOX_VERSION=be
 before_install:
-  - curl -fsSl https://downloads.ortussolutions.com/debs/gpg | sudo apt-key add -
-  - sudo echo "deb http://downloads.ortussolutions.com/debs/noarch /" | sudo tee -a /etc/apt/sources.list.d/commandbox.list
+    - curl -fsSl https://downloads.ortussolutions.com/debs/gpg | sudo apt-key add -
+    - sudo echo "deb http://downloads.ortussolutions.com/debs/noarch /" | sudo tee -a /etc/apt/sources.list.d/commandbox.list
 install:
-  - sudo apt update && sudo apt --assume-yes install commandbox
-  - box install commandbox-cfformat
-  - box install
-  - box install coldbox@${COLDBOX_VERSION} --force
+    - sudo apt update && sudo apt --assume-yes install commandbox
+    - box install commandbox-cfformat
+    - box install
+    - box install coldbox@${COLDBOX_VERSION} --force --!save
 before_script:
-  - box server start cfengine=$ENGINE port=8500
+    - box server start cfengine=$ENGINE port=8500
 script:
-  - box testbox run verbose=false
-  - box run-script format:check
+    - box testbox run verbose=false
+    - box run-script format:check
 after_success:
-  - box install commandbox-semantic-release
-  - box config set endpoints.forgebox.APIToken=${FORGEBOX_TOKEN}
-  - box semantic-release
+    - box install commandbox-semantic-release
+    - box config set endpoints.forgebox.APIToken=${FORGEBOX_TOKEN}
+    - box semantic-release
 notifications:
-   email: false
+    email: false

README.md

@@ -6,7 +6,7 @@
 
 ### Usage
 
-`cbguard` lets us lock down methods to logged in users and users with specific permissions using one annotation — `secured`.  Just sticking the secured annotation on a handler or action is enough to require a user to log in before executing those events.
+`cbguard` lets us lock down methods to logged in users and users with specific permissions using one annotation — `secured`. Just sticking the secured annotation on a handler or action is enough to require a user to log in before executing those events.
 
 Here's an example of how to lock down an entire handler:
 
@@ -36,7 +36,7 @@ component {
 }
 ```
 
-You can further lock down handlers and actions to a list of specific permissions.  If specified, the logged in user must have one of the permissions in the list specified.
+You can further lock down handlers and actions to a list of specific permissions. If specified, the logged in user must have one of the permissions in the list specified.
 
 ```cfc
 component secured="admin" {
@@ -64,7 +64,7 @@ component {
 }
 ```
 
-Individual actions can be secured in the same way.  Above, the `show` action requires the logged in user to have either the `admin` or the `reviews_posts` permission.
+Individual actions can be secured in the same way. Above, the `show` action requires the logged in user to have either the `admin` or the `reviews_posts` permission.
 
 These two approaches can be combined and both handler and actions can be secured together:
 
@@ -118,7 +118,7 @@ public void function authorize( required any permissions, struct additionalArgs
 In all cases `permissions` can be either a string, a list of strings, or an array of strings.
 
 In the case of `authorize` the `errorMessage` replaces the thrown error message
-in the `NotAuthorized`. exception.  It can also be a closure that takes the following shape:
+in the `NotAuthorized`. exception. It can also be a closure that takes the following shape:
 
 ```cfc
 string function errorMessage( array permissions, any user, struct additionalArgs );
@@ -127,14 +127,14 @@ string function errorMessage( array permissions, any user, struct additionalArgs
 #### Defining Custom Guards
 
 While handling all of your guard clauses inside the `hasPermission` method on your user
-works fine, you may want to define a different way to handle permissions.  You
-can do this by declaring custom guards using the `guard.define` method.  Here's the signature:
+works fine, you may want to define a different way to handle permissions. You
+can do this by declaring custom guards using the `guard.define` method. Here's the signature:
 
 ```cfc
 public Guard function define( required string name, required any callback );
 ```
 
-The `name` will match against a permission name.  If it matches, the guard is
+The `name` will match against a permission name. If it matches, the guard is
 called instead of calling `hasPermission` on the `User` model. (You can always
 call `hasPermission` on the `User` inside your guard callback if you need.)
 
@@ -149,7 +149,7 @@ public boolean function authorize( required any user, struct additionalArgs = {}
 ```
 
 Using this approach, you can define custom guards anywhere in your application:
-`config/ColdBox.cfc`, `ModuleConfig.cfc` of your custom modules, etc.  The
+`config/ColdBox.cfc`, `ModuleConfig.cfc` of your custom modules, etc. The
 `Guard` component is registered as a singleton, so it will keep track of all the
 guards registered, even from different sources.
 
@@ -161,7 +161,7 @@ public Guard function removeDefinition( required string name );
 
 ### Redirects
 
-When a user is denied access to a action, an event of your choosing is executed instead.  There are four keys that can be set in the `moduleSettings` struct that all come with good defaults.
+When a user is denied access to a action, an event of your choosing is executed instead. There are four keys that can be set in the `moduleSettings` struct that all come with good defaults.
 
 1. `authenticationOverrideEvent` (Default: `Main.onAuthenticationFailure`)
 
@@ -173,12 +173,16 @@ This is the event that is executed when the user is logged in and is attempting
 
 3. `authenticationAjaxOverrideEvent` (Default: `Main.onAuthenticationFailure`)
 
-This is the event that is executed when the user is not logged in and is attempting to execute a secured action via ajax (`event.isAjax()`), whether or not that handler or action has permissions.  By default, this will execute the same action that is configured for `authenticationOverrideEvent`.
+This is the event that is executed when the user is not logged in and is attempting to execute a secured action via ajax (`event.isAjax()`), whether or not that handler or action has permissions. By default, this will execute the same action that is configured for `authenticationOverrideEvent`.
 
 4. `authorizationAjaxOverrideEvent` (Default: same as `authorizationOverrideEvent`)
 
 This is the event that is executed when the user is logged in and is attempting to execute a secured action via ajax (`event.isAjax()`) but does not have the requisite permissions. By default, this will execute the same action that is configured for `authorizationOverrideEvent`.
 
+### \_securedUrl
+
+When an override event is used, the url the user was trying to access is stored in the `flash` scope as `_securedUrl`.
+You can make use of this in your login actions to send the user back where they intended after logging in.
 
 ### Setup
 
@@ -234,12 +238,11 @@ moduleSettings = {
 };
 ```
 
-The default `authenticationService` for `cbguard` is `AuthenticationService@cbauth`.  `cbauth` follows the `AuthenticationServiceInterface` out of the box.
-
+The default `authenticationService` for `cbguard` is `AuthenticationService@cbauth`. `cbauth` follows the `AuthenticationServiceInterface` out of the box.
 
 ### config/ColdBox.cfc Settings
 
-You can change the method names called on the `AuthenticationService` and the returned `User` if you need to.  We highly discourage this use case, as it makes it harder to utilize the `cbguard` conventions across projects.  However, should the need arise, you can modify the method names as follows:
+You can change the method names called on the `AuthenticationService` and the returned `User` if you need to. We highly discourage this use case, as it makes it harder to utilize the `cbguard` conventions across projects. However, should the need arise, you can modify the method names as follows:
 
 ```cfc
 moduleSettings = {
@@ -271,10 +274,9 @@ moduleSettings = {
 `relocate` refers to calling `relocate` on the controller. The user will be redirected to the new page.
 `override` refers to `event.overrideEvent`. This will not redirect but simply change the running event.
 
-
 ### Module Overrides
 
-All of the `cbguard` settings can be overriden inside a module.  This allows modules, such as an API module, to provide
+All of the `cbguard` settings can be overriden inside a module. This allows modules, such as an API module, to provide
 their own authentication services as well as redirect events.
 
 To specify some overrides, create a `cbguard` struct in your desired module's `settings` in that module's `ModuleConfig.cfc`.
@@ -327,7 +329,9 @@ component secured {
 ```
 
 ### Override Order
+
 cbguard will process your authorization and authentication failures in the following order:
+
 1. Inline handler methods (`onAuthenticationFailure` & `onAuthorizationFailure` within your handlers).
 2. cbguard settings in the ModuleConfig of the handler's module. (Overrides in `modules_app/api/ModuleConfig.cfc` when the handler is in the module, i.e. `modules_app/api/handlers/Main.cfc`.)
 3. Overrides in `config/ColdBox.cfc` using `moduleSettings`.

box.json

@@ -1,35 +1,33 @@
 {
-    "name":"cbguard",
-    "version":"4.1.1",
-    "author":"",
-    "location":"forgeboxStorage",
-    "homepage":"https://github.com/coldbox-modules/cbguard",
-    "documentation":"https://github.com/coldbox-modules/cbguard",
-    "repository":{
-        "type":"git",
-        "URL":"https://github.com/coldbox-modules/cbguard"
+    "name": "cbguard",
+    "version": "4.1.1",
+    "author": "",
+    "location": "forgeboxStorage",
+    "homepage": "https://github.com/coldbox-modules/cbguard",
+    "documentation": "https://github.com/coldbox-modules/cbguard",
+    "repository": {
+        "type": "git",
+        "URL": "https://github.com/coldbox-modules/cbguard"
     },
-    "bugs":"https://github.com/coldbox-modules/cbguard/issues",
-    "slug":"cbguard",
-    "shortDescription":"Annotation driven guards for authentication and authorization in ColdBox apps",
-    "description":"Annotation driven guards for authentication and authorization in ColdBox apps",
-    "type":"modules",
-    "dependencies":{
-        "coldbox":"stable"
+    "bugs": "https://github.com/coldbox-modules/cbguard/issues",
+    "slug": "cbguard",
+    "shortDescription": "Annotation driven guards for authentication and authorization in ColdBox apps",
+    "description": "Annotation driven guards for authentication and authorization in ColdBox apps",
+    "type": "modules",
+    "dependencies": {},
+    "devDependencies": {
+        "coldbox": "^5.6.0",
+        "testbox": "^2.4.0+80"
     },
-    "devDependencies":{
-        "coldbox":"^5.6.0",
-        "testbox":"^2.4.0+80"
+    "installPaths": {
+        "testbox": "testbox/",
+        "coldbox": "tests/resources/app/coldbox/"
     },
-    "installPaths":{
-        "testbox":"testbox/",
-        "coldbox":"tests/resources/app/coldbox/"
+    "scripts": {
+        "format": "cfformat run interceptors/**/*.cfc,interfaces/**/*.cfc,models/**/*.cfc,tests/specs/**/*.cfc --overwrite",
+        "format:check": "cfformat check interceptors/**/*.cfc,interfaces/**/*.cfc,models/**/*.cfc,tests/specs/**/*.cfc"
     },
-    "scripts":{
-        "format":"cfformat run interceptors/**/*.cfc,interfaces/**/*.cfc,models/**/*.cfc,tests/specs/**/*.cfc --overwrite",
-        "format:check":"cfformat check interceptors/**/*.cfc,interfaces/**/*.cfc,models/**/*.cfc,tests/specs/**/*.cfc"
-    },
-    "ignore":[
+    "ignore": [
         "**/.*",
         "test",
         "tests"

interceptors/SecuredEventInterceptor.cfc

@@ -1,8 +1,9 @@
 component extends="coldbox.system.Interceptor" {
 
-    property name="coldboxVersion" inject="coldbox:fwSetting:version";
-    property name="handlerService" inject="coldbox:handlerService";
+    property name="flash" inject="coldbox:flash";
     property name="moduleService" inject="coldbox:moduleService";
+    property name="handlerService" inject="coldbox:handlerService";
+    property name="coldboxVersion" inject="coldbox:fwSetting:version";
     property name="invalidEventHandler" inject="coldbox:setting:invalidEventHandler";
 
     void function configure() {
@@ -100,6 +101,8 @@ component extends="coldbox.system.Interceptor" {
         }
 
         if ( !invoke( props.authenticationService, props.methodNames[ "isLoggedIn" ] ) ) {
+            saveSecuredUrl( event );
+
             // Override the coldbox.cfc global onAuthenticationFailure if it exists in the handler.
             // Per docs, they will override for Ajax requests also.
             var eventType = event.isAjax() ? "authenticationAjaxOverrideEvent" : "authenticationOverrideEvent";
@@ -147,6 +150,8 @@ component extends="coldbox.system.Interceptor" {
             }
         }
 
+        saveSecuredUrl( event );
+
         // At this point, we know the user did NOT have any of the required permissions,
         // so we will fire the appropriate authorization failure events
         var eventType = event.isAjax() ? "authorizationAjaxOverrideEvent" : "authorizationOverrideEvent";
@@ -217,7 +222,10 @@ component extends="coldbox.system.Interceptor" {
         if ( !structKeyExists( targetActionMetadata, "secured" ) || targetActionMetadata.secured == false ) {
             return false;
         }
+
         if ( !invoke( props.authenticationService, props.methodNames[ "isLoggedIn" ] ) ) {
+            saveSecuredUrl( event );
+
             var eventType = event.isAjax() ? "authenticationAjaxOverrideEvent" : "authenticationOverrideEvent";
             var relocateEvent = getOverrideEvent(
                 handlerMetadata,
@@ -257,6 +265,8 @@ component extends="coldbox.system.Interceptor" {
             }
         }
 
+        saveSecuredUrl( event );
+
         // Override the coldbox.cfc global onAuthorizationFailure if it exists in the handler.
         // Per docs, they will override for Ajax requests also.
         var eventType = event.isAjax() ? "authorizationAjaxOverrideEvent" : "authorizationOverrideEvent";
@@ -323,4 +333,25 @@ component extends="coldbox.system.Interceptor" {
         );
     }
 
+    /**
+     * Flash the incoming secured Url so we can redirect to it or use it in the next request.
+     *
+     * @event The event object
+     */
+    private function saveSecuredUrl( required event ) {
+        var securedUrl = arguments.event.getFullUrl();
+
+        if ( arguments.event.isSES() ) {
+            securedURL = arguments.event.buildLink(
+                to = event.getCurrentRoutedURL(),
+                queryString = CGI.QUERY_STRING,
+                translate = false
+            );
+        }
+
+        // Flash it and place it in RC as well
+        flash.put( "_securedUrl", securedUrl );
+        arguments.event.setValue( "_securedUrl", securedUrl );
+    }
+
 }

tests/specs/integration/SecuredUrlSpec.cfc

@@ -0,0 +1,21 @@
+component extends="tests.resources.ModuleIntegrationSpec" appMapping="/app" {
+
+    property name="interceptorService" inject="coldbox:interceptorService";
+    property name="flash" inject="coldbox:flash";
+
+    function run() {
+        describe( "Secured Url Spec", function() {
+            beforeEach( function() {
+                flash.clear();
+            } );
+
+            it( "puts the _securedUrl in the flash scope when relocating", function() {
+                var event = execute( event = "Secured.index" );
+                expect( event.getValue( "relocate_EVENT", "" ) ).toBe( "Main.onAuthenticationFailure" );
+                expect( flash.exists( "_securedUrl" ) ).toBeTrue( "_securedUrl should exist in the flash scope" );
+                expect( flash.get( "_securedUrl" ) ).toBe( event.getFullUrl() );
+            } );
+        } );
+    }
+
+}