[4.x]: craft.app.user.getReturnUrl() does not always seem to return the correct returnUrl

[jmldavis]

What happened?

Description

I'm trying to build a user flow in which a guest user:

• navigates to a page that requires login
• gets redirected to login screen with a 'you must be logged in to get there' message
• logs in
• gets redirected to the page that they were redirected from

In doing this, I am using craft.app.user.getReturnUrl() to judge whether there is a returnUrl, and therefore whether to show the message on the login page. However, when you login, although it appears superficially from UsersController.php->_handleSuccessfulLogin() that the returnUrl gets 'cleared out' i.e. deleted on successful login, calling craft.app.user.getReturnUrl() in fact does not return null but the base URL of the site. I can retrieve what I think is the correct value (null) by calling craft.app.session.get(craft.app.user.returnUrlParam) but this seems like a somewhat hacky way of achieving what I'm trying to do.

Now, it may be that I've missed something obvious, or I'm simply stretching Craft beyond what it was intended for in some way that I don't see, but this feels like a bug from what I've been able to glean from glances at the source code. Happy to be corrected and pointed in the right direction though.

Steps to reproduce

1. In template_a.twig, put

{% requireLogin %}

{{ craft.app.user.getReturnUrl() }}
{{ craft.app.session.get(craft.app.user.returnUrlParam) }}

...rest of template

2. In login template, put something like this:

{% if craft.app.user.getReturnUrl() %}
    You must be signed in to access that content
{% endif %}

...login form

3. Now, as a guest user, navigate to template_a.twig in the browser.
4. See that you are redirected to login, and see the You must be signed in to access that content message.
5. Login successfully with some correct credentials and get redirected to template_a.twig.
6. See that the output of craft.app.user.getReturnUrl() is {YOUR SITE URL} and that of craft.app.session.get(craft.app.user.returnUrlParam) is null.
7. If you log out now and return directly to the login page, you will still – incorrectly – see the You must be signed in to access that content message.

Expected behavior

Calling craft.app.user.getReturnUrl() would return null when there is no returnUrl in session, i.e. when you've just logged in or logged out, or haven't been explicitly redirected to the login screen.

Actual behavior

Calling craft.app.user.getReturnUrl() after successful login (or logout) shows the Base URL of the site.

Craft CMS version

4.4.17

PHP version

8.0

Operating system and version

macOS Mojave 10.14.6

Database type and version

MariaDB 10.4

Image driver and version

No response

Installed plugins and versions

"craftcms/redactor": "3.0.4",
"nystudio107/craft-seomatic": "4.0.30",
"nystudio107/craft-typogrify": "4.0.1",
"verbb/super-table": "3.0.9",

[i-just]

Hi, thanks for getting in touch.

The getReturnUrl() method “Returns the URL that the browser should be redirected to after successful login.” and by design, it shouldn’t return null: https://github.com/yiisoft/yii2/blob/master/framework/web/User.php#L405

It’s also worth noting this configuration option: https://craftcms.com/docs/4.x/config/general.html#postloginredirect. If you were to change the postLoginRedirect value to, e.g. /after-login-page, then getReturnUrl() would return that URL.

You can, however achieve what you’re after by, e.g. setting a flash in your template_a.twig before requiring login:

{% do craft.app.session.setFlash('requireLoginMessage') %}
{% requireLogin %}

and then checking for it in the login page template:

{% if craft.app.session.hasFlash('requireLoginMessage') %}
    You must be signed in to access that content
{% endif %}

If you visit /template_a as a guest, flash will get set, you’ll get redirected to the login page, and you’ll see your message, but if you go directly to the login page, the message won’t be shown.

I hope this helps!