fix: respect return_to URL parameter in registration flow when the …

…user is already registered (ory#2957)
senteca · Dec 19, 2022 · a36ddf5 · a36ddf5
1 parent 9651d8a
commit a36ddf5
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/selfservice/flow/registration/handler.go b/selfservice/flow/registration/handler.go
@@ -290,7 +290,16 @@ func (h *Handler) createBrowserRegistrationFlow(w http.ResponseWriter, r *http.R
 			return
 		}
 
-		http.Redirect(w, r, h.d.Config().SelfServiceBrowserDefaultReturnTo(r.Context()).String(), http.StatusSeeOther)
+		returnTo, redirErr := x.SecureRedirectTo(r, h.d.Config().SelfServiceBrowserDefaultReturnTo(r.Context()),
+			x.SecureRedirectAllowSelfServiceURLs(h.d.Config().SelfPublicURL(r.Context())),
+			x.SecureRedirectAllowURLs(h.d.Config().SelfServiceBrowserAllowedReturnToDomains(r.Context())),
+		)
+		if redirErr != nil {
+			h.d.SelfServiceErrorManager().Forward(r.Context(), w, r, redirErr)
+			return
+		}
+
+		http.Redirect(w, r, returnTo.String(), http.StatusSeeOther)
 		return
 	}
 

diff --git a/selfservice/flow/registration/handler_test.go b/selfservice/flow/registration/handler_test.go
@@ -43,6 +43,10 @@ func TestHandlerRedirectOnAuthenticated(t *testing.T) {
 	router := x.NewRouterPublic()
 	ts, _ := testhelpers.NewKratosServerWithRouters(t, reg, router, x.NewRouterAdmin())
 
+	// Set it first as otherwise it will overwrite the ViperKeySelfServiceBrowserDefaultReturnTo key;
+	returnToTS := testhelpers.NewRedirTS(t, "return_to", conf)
+	conf.MustSet(ctx, config.ViperKeyURLsAllowedReturnToDomains, []string{returnToTS.URL})
+
 	redirTS := testhelpers.NewRedirTS(t, "already authenticated", conf)
 	conf.MustSet(ctx, config.ViperKeySelfServiceRegistrationEnabled, true)
 	testhelpers.SetDefaultIdentitySchema(conf, "file://./stub/identity.schema.json")
@@ -58,6 +62,12 @@ func TestHandlerRedirectOnAuthenticated(t *testing.T) {
 		assert.Contains(t, res.Request.URL.String(), registration.RouteInitAPIFlow)
 		assertx.EqualAsJSON(t, registration.ErrAlreadyLoggedIn, json.RawMessage(gjson.GetBytes(body, "error").Raw))
 	})
+
+	t.Run("does redirect to return_to url on authenticated request", func(t *testing.T) {
+		body, res := testhelpers.MockMakeAuthenticatedRequest(t, reg, conf, router.Router, x.NewTestHTTPRequest(t, "GET", ts.URL+registration.RouteInitBrowserFlow+"?return_to="+returnToTS.URL, nil))
+		assert.Contains(t, res.Request.URL.String(), returnToTS.URL)
+		assert.EqualValues(t, "return_to", string(body))
+	})
 }
 
 func TestInitFlow(t *testing.T) {