-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rails 7: allow redirections to other/external hosts after logout. #5462
base: main
Are you sure you want to change the base?
Rails 7: allow redirections to other/external hosts after logout. #5462
Conversation
|
||
def redirect_to_after_sign_out_path | ||
redirect_to after_sign_out_path_for(resource_name), allow_other_host: true | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure about what's the best place to write tests for this. If someone can point me in a direction I'll be happy to add tests 😃.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After thinking about the proposed solution a bit longer, I wonder if it actually is the best one 😅.
Different use cases might require different options to be passed to the redirect_to
. It's probably not possible to cover all such cases by hard coding options here. So, the question that comes to my mind now is: What's the best way to override the options passed to the redirect_to
? For example, to also change the redirection status code etc.
-
Override the
destroy
action in the controller. Then, having full control over the redirection (already possible). -
Provide a
after_sign_out_redirect_options_for
method or similar where users can define the custom options for the redirection? -
Other...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or set the default in Devise in the meantime to allow_other_host: true
and put a warning in a comment in after_sign_up_path_for
about overriding it with a user provided URLs? You have to go out of your way to override the method, so it doesn't seem like a less secure default.
There are other places than logout that For instance, if I'm on I don't know how many instances like this there are |
Yes indeed. For instance we need to be able to set it for the registrations_controller: https://github.com/heartcombo/devise/blob/v4.8.1/app/controllers/devise/registrations_controller.rb#L25-L29 |
Any chance this will be looked into soon? The same issue happens if after_sign_in_path_for is overridden to return an external host. |
I'm also having this issue because I want to redirect to an external Stripe checkout page after a user signs up. For now I am overriding the
|
Seems like the best way to approach this is add a Should be relatively straightforward I think |
+1 on improvements here, my login broke after a Rails 7 upgrade because I am routing users to a per-user custom external URLs in |
+1 to improvements here, for now we will have to set this new config to false to have our app to still work with devise. |
+1 Haven't found another way than setting |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fa
I just ran in to this problem in project and fixed it across the entirety of devise with class DeviseController
# monkey patching devise so it can handle the new default behaviour in rails 7
# redirects
original_redirect_to = instance_method(:redirect_to)
define_method(:redirect_to) do |options, response_options = {}|
if options.is_a?(Hash)
options[:allow_other_host] = true unless options.key?(:allow_other_host)
elsif response_options.is_a?(Hash)
response_options[:allow_other_host] = true unless response_options.key?(:allow_other_host)
end
original_redirect_to
.bind_call(self, options, response_options)
end
end But please can this be fixed properly? |
Context
When using different authentication strategies, devise_saml_autheticatable in my case, it's common to redirect the user to an external host after logout.
Rails 7 requires to explicitly pass
allow_other_host: true
toredirect_to
to allow such redirections. Otherwise, an ugly exception is raised.4.8.1
7.0.1
Expected behaviour.
When using devise with Rails 7 and setting the
after_sign_out_path_for
to an external host, the user is sucessfully redirected.Current behaviour.
When using devise with Rails 7 and setting the
after_sign_out_path_for
to an external host, aActionController::Redirecting::UnsafeRedirectError
is raised.