Always redirect ajax requests when session expired (see #5868)

Description ----------- Fixes #5865 Just a quick attempt to fix this issue in a general manner. Not sure if that's the best way to go but we'll see :) Commits ------- a3b90aa Always redirect to the back end in case of ajax requests and an expir… 3d09ed3 Adjust implementation 346805f CS Co-authored-by: Leo Feyer <1192057+leofeyer@users.noreply.github.com>
contao · Mar 14, 2023 · bf1381a · bf1381a
1 parent 13f7b3e
commit bf1381a
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 4 deletions.
diff --git a/core-bundle/src/Resources/public/mootao.js b/core-bundle/src/Resources/public/mootao.js
@@ -80,6 +80,11 @@ Request.Contao = new Class(
 	failure: function() {
 		var url = this.getHeader('X-Ajax-Location');
 
+		if (url && 401 === this.status) {
+			location.replace(url);
+			return;
+		}
+
 		if (url && this.options.followRedirects && this.status >= 300 && this.status < 400) {
 			location.replace(url);
 			return;

diff --git a/core-bundle/src/Resources/public/mootao.min.js b/core-bundle/src/Resources/public/mootao.min.js
diff --git a/core-bundle/src/Security/Authentication/AuthenticationEntryPoint.php b/core-bundle/src/Security/Authentication/AuthenticationEntryPoint.php
@@ -15,6 +15,7 @@
 use Contao\CoreBundle\Routing\ScopeMatcher;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
 use Symfony\Component\HttpKernel\UriSigner;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
@@ -38,7 +39,7 @@ public function __construct(RouterInterface $router, UriSigner $uriSigner, Scope
         $this->scopeMatcher = $scopeMatcher;
     }
 
-    public function start(Request $request, AuthenticationException $authException = null)
+    public function start(Request $request, AuthenticationException $authException = null): Response
     {
         if ($this->scopeMatcher->isBackendRequest($request)) {
             return $this->redirectToBackend($request);
@@ -47,14 +48,20 @@ public function start(Request $request, AuthenticationException $authException =
         throw new UnauthorizedHttpException('', 'Not authorized');
     }
 
-    private function redirectToBackend(Request $request): RedirectResponse
+    private function redirectToBackend(Request $request): Response
     {
         $url = $this->router->generate(
             'contao_backend_login',
             ['redirect' => $request->getUri()],
             UrlGeneratorInterface::ABSOLUTE_URL
         );
 
-        return new RedirectResponse($this->uriSigner->sign($url));
+        $location = $this->uriSigner->sign($url);
+
+        if ($request->isXmlHttpRequest()) {
+            return new Response($location, 401, ['X-Ajax-Location' => $location]);
+        }
+
+        return new RedirectResponse($location);
     }
 }
diff --git a/core-bundle/tests/Security/Authentication/AuthenticationEntryPointTest.php b/core-bundle/tests/Security/Authentication/AuthenticationEntryPointTest.php
@@ -77,6 +77,40 @@ public function testSignsTheBackendRedirectUrl(): void
         $this->assertSame('http://localhost/contao/login?_hash=%2FxSCw6cwMlws5DEhBCvs0%2F75oQA8q%2FgMkZEnYCf6QSE%3D&redirect=https%3A%2F%2Fcontao.org%2Fpreview.php%2Fabout-contao.html', $response->getTargetUrl());
     }
 
+    public function testRedirectsAjaxRequests(): void
+    {
+        $request = Request::create('http://localhost/contao/login?redirect=https%3A%2F%2Fcontao.org%2Fpreview.php%2Fabout-contao.html');
+        $request->headers->set('X-Requested-With', 'XMLHttpRequest');
+
+        $router = $this->createMock(RouterInterface::class);
+        $router
+            ->expects($this->once())
+            ->method('generate')
+            ->with('contao_backend_login', ['redirect' => $request->getUri()])
+            ->willReturn('http://localhost/contao/login?redirect=https%3A%2F%2Fcontao.org%2Fpreview.php%2Fabout-contao.html')
+        ;
+
+        $scopeMatcher = $this->createMock(ScopeMatcher::class);
+        $scopeMatcher
+            ->expects($this->once())
+            ->method('isBackendRequest')
+            ->with($request)
+            ->willReturn(true)
+        ;
+
+        $entryPoint = new AuthenticationEntryPoint(
+            $router,
+            new UriSigner('secret'),
+            $scopeMatcher
+        );
+
+        $response = $entryPoint->start($request);
+
+        $this->assertFalse($response->headers->has('Location'));
+        $this->assertSame(401, $response->getStatusCode());
+        $this->assertSame('http://localhost/contao/login?_hash=%2FxSCw6cwMlws5DEhBCvs0%2F75oQA8q%2FgMkZEnYCf6QSE%3D&redirect=https%3A%2F%2Fcontao.org%2Fpreview.php%2Fabout-contao.html', $response->headers->get('X-Ajax-Location'));
+    }
+
     public function testAddsARefererToTheBackendRedirectUrlIfTheQueryIsEmpty(): void
     {
         $request = Request::create('/');