Rails 7: allow redirections to other/external hosts after logout. #5462
Conversation
ammancilla
changed the title
|
|
||
| def redirect_to_after_sign_out_path | ||
| redirect_to after_sign_out_path_for(resource_name), allow_other_host: true | ||
| end |
There was a problem hiding this comment.
I am not sure about what's the best place to write tests for this. If someone can point me in a direction I'll be happy to add tests 😃.
There was a problem hiding this comment.
After thinking about the proposed solution a bit longer, I wonder if it actually is the best one 😅.
Different use cases might require different options to be passed to the redirect_to. It's probably not possible to cover all such cases by hard coding options here. So, the question that comes to my mind now is: What's the best way to override the options passed to the redirect_to? For example, to also change the redirection status code etc.
-
Override the
destroyaction in the controller. Then, having full control over the redirection (already possible). -
Provide a
after_sign_out_redirect_options_formethod or similar where users can define the custom options for the redirection? -
Other...
There was a problem hiding this comment.
Or set the default in Devise in the meantime to allow_other_host: true and put a warning in a comment in after_sign_up_path_for about overriding it with a user provided URLs? You have to go out of your way to override the method, so it doesn't seem like a less secure default.
|
There are other places than logout that For instance, if I'm on I don't know how many instances like this there are |
ammancilla
changed the title
Yes indeed. For instance we need to be able to set it for the registrations_controller: https://github.com/heartcombo/devise/blob/v4.8.1/app/controllers/devise/registrations_controller.rb#L25-L29 |
|
Any chance this will be looked into soon? The same issue happens if after_sign_in_path_for is overridden to return an external host. |
|
I'm also having this issue because I want to redirect to an external Stripe checkout page after a user signs up. For now I am overriding the |
|
Seems like the best way to approach this is add a Should be relatively straightforward I think |
|
+1 on improvements here, my login broke after a Rails 7 upgrade because I am routing users to a per-user custom external URLs in |
|
+1 to improvements here, for now we will have to set this new config to false to have our app to still work with devise. |
|
+1 Haven't found another way than setting |
|
I just ran in to this problem in project and fixed it across the entirety of devise with class DeviseController
# monkey patching devise so it can handle the new default behaviour in rails 7
# redirects
original_redirect_to = instance_method(:redirect_to)
define_method(:redirect_to) do |options, response_options = {}|
if options.is_a?(Hash)
options[:allow_other_host] = true unless options.key?(:allow_other_host)
elsif response_options.is_a?(Hash)
response_options[:allow_other_host] = true unless response_options.key?(:allow_other_host)
end
original_redirect_to
.bind_call(self, options, response_options)
end
endBut please can this be fixed properly? |
Context
When using different authentication strategies, devise_saml_autheticatable in my case, it's common to redirect the user to an external host after logout.
Rails 7 requires to explicitly pass
allow_other_host: truetoredirect_toto allow such redirections. Otherwise, an ugly exception is raised.4.8.17.0.1Expected behaviour.
When using devise with Rails 7 and setting the
after_sign_out_path_forto an external host, the user is sucessfully redirected.Current behaviour.
When using devise with Rails 7 and setting the
after_sign_out_path_forto an external host, aActionController::Redirecting::UnsafeRedirectErroris raised.