diff --git a/api-server/server/boot/authentication.js b/api-server/server/boot/authentication.js index 4fd4176ea6..19f01f10e6 100644 --- a/api-server/server/boot/authentication.js +++ b/api-server/server/boot/authentication.js @@ -39,12 +39,6 @@ module.exports = function enableAuthentication(app) { const ifNoUserRedirectHome = ifNoUserRedirectTo(homeLocation); const saveAuthCookies = saveResponseAuthCookies(); const loginSuccessRedirect = loginRedirect(); - const addRedirect = (req, res, next) => { - if (req && req.query && req.query.returnTo) { - req.query.returnTo = `${homeLocation}/${req.query.returnTo}`; - } - return next(); - }; const api = app.loopback.Router(); // Use a local mock strategy for signing in if we are in dev mode. @@ -53,18 +47,27 @@ module.exports = function enableAuthentication(app) { if (process.env.LOCAL_MOCK_AUTH === 'true') { api.get( '/signin', - addRedirect, passport.authenticate('devlogin'), saveAuthCookies, loginSuccessRedirect ); } else { - api.get('/signin', addRedirect, ifUserRedirect, (req, res, next) => { - const state = req.query.returnTo - ? Buffer.from(req.query.returnTo).toString('base64') - : null; - return passport.authenticate('auth0-login', { state })(req, res, next); - }); + api.get( + '/signin', + (req, res, next) => { + if (req && req.query && req.query.returnTo) { + req.query.returnTo = `${homeLocation}/${req.query.returnTo}`; + } + return next(); + }, + ifUserRedirect, + (req, res, next) => { + const state = req.query.returnTo + ? Buffer.from(req.query.returnTo).toString('base64') + : null; + return passport.authenticate('auth0-login', { state })(req, res, next); + } + ); api.get( '/auth/auth0/callback', diff --git a/api-server/server/component-passport.js b/api-server/server/component-passport.js index fb467d9edc..fa12146774 100644 --- a/api-server/server/component-passport.js +++ b/api-server/server/component-passport.js @@ -81,8 +81,9 @@ export const saveResponseAuthCookies = () => { export const loginRedirect = () => { return (req, res) => { const successRedirect = req => { - if (req && req.query && req.query.returnTo) { - return req.query.returnTo; + if (!!req && req.session && req.session.returnTo) { + delete req.session.returnTo; + return `${homeLocation}/learn`; } return `${homeLocation}/learn`; }; diff --git a/api-server/server/middleware.json b/api-server/server/middleware.json index 3588498b11..445290954d 100644 --- a/api-server/server/middleware.json +++ b/api-server/server/middleware.json @@ -29,6 +29,7 @@ "auth:before": { "express-flash": {}, "./middlewares/express-extensions": {}, + "./middlewares/add-return-to": {}, "./middlewares/cookie-parser": {}, "./middlewares/request-authorization": {} }, diff --git a/api-server/server/middlewares/add-return-to.js b/api-server/server/middlewares/add-return-to.js new file mode 100644 index 0000000000..47d7bbfc03 --- /dev/null +++ b/api-server/server/middlewares/add-return-to.js @@ -0,0 +1,37 @@ +const pathsOfNoReturn = [ + 'link', + 'auth', + 'login', + 'logout', + 'signin', + 'signup', + 'fonts', + 'favicon', + 'js', + 'css' +]; + +const pathsAllowedList = ['challenges', 'map', 'commit']; + +const pathsOfNoReturnRegex = new RegExp(pathsOfNoReturn.join('|'), 'i'); +const pathsAllowedRegex = new RegExp(pathsAllowedList.join('|'), 'i'); + +export default function addReturnToUrl() { + return function(req, res, next) { + // Remember original destination before login. + var path = req.path.split('/')[1]; + + if ( + req.method !== 'GET' || + pathsOfNoReturnRegex.test(path) || + !pathsAllowedRegex.test(path) || + /hot/i.test(req.path) + ) { + return next(); + } + req.session.returnTo = req.originalUrl.includes('/map') + ? '/' + : req.originalUrl; + return next(); + }; +}