From 7857c3932b925f6b4c6c361302bcc9157337ea0f Mon Sep 17 00:00:00 2001
From: "Nicholas Carrigan (he/him)" <nhcarrigan@gmail.com>
Date: Thu, 17 Jun 2021 11:24:18 -0700
Subject: [PATCH] fix: signout redirect (#42538)

Co-authored-by: Oliver Eyton-Williams <ojeytonwilliams@gmail.com>
---
 api-server/src/server/boot/authentication.js |  4 ++--
 api-server/src/server/component-passport.js  | 16 +++++++++++++---
 api-server/src/server/utils/redirection.js   |  2 +-
 3 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/api-server/src/server/boot/authentication.js b/api-server/src/server/boot/authentication.js
index 341f13d636..45fc4f29f7 100644
--- a/api-server/src/server/boot/authentication.js
+++ b/api-server/src/server/boot/authentication.js
@@ -63,7 +63,7 @@ module.exports = function enableAuthentication(app) {
   }
 
   api.get('/signout', (req, res) => {
-    const { origin } = getRedirectParams(req);
+    const { origin, returnTo } = getRedirectParams(req);
     req.logout();
     req.session.destroy(err => {
       if (err) {
@@ -74,7 +74,7 @@ module.exports = function enableAuthentication(app) {
         });
       }
       removeCookies(req, res);
-      res.redirect(origin);
+      res.redirect(returnTo);
     });
   });
 
diff --git a/api-server/src/server/component-passport.js b/api-server/src/server/component-passport.js
index a9c9e31ba1..6f894d4b07 100644
--- a/api-server/src/server/component-passport.js
+++ b/api-server/src/server/component-passport.js
@@ -16,6 +16,7 @@ import {
   isRootPath
 } from './utils/redirection';
 import { jwtSecret } from '../../../config/secrets';
+import { availableLangs } from '../../../config/i18n/all-langs';
 
 const passportOptions = {
   emailOptional: true,
@@ -85,13 +86,22 @@ export const devSaveResponseAuthCookies = () => {
 
 export const devLoginRedirect = () => {
   return (req, res) => {
-    // this mirrors the production approach, but without any validation
+    // this mirrors the production approach, but only validates the prefix
     let { returnTo, origin, pathPrefix } = getRedirectParams(
       req,
-      params => params
+      ({ returnTo, origin, pathPrefix }) => {
+        pathPrefix = availableLangs.client.includes(pathPrefix)
+          ? pathPrefix
+          : '';
+        return {
+          returnTo,
+          origin,
+          pathPrefix
+        };
+      }
     );
     returnTo += isRootPath(getRedirectBase(origin, pathPrefix), returnTo)
-      ? 'learn'
+      ? '/learn'
       : '';
     return res.redirect(returnTo);
   };
diff --git a/api-server/src/server/utils/redirection.js b/api-server/src/server/utils/redirection.js
index f3a6dd832c..4c7fb7d74b 100644
--- a/api-server/src/server/utils/redirection.js
+++ b/api-server/src/server/utils/redirection.js
@@ -66,7 +66,7 @@ function getRedirectParams(req, _normalizeParams = normalizeParams) {
   const origin = returnUrl.origin;
   // if this is not one of the client languages, validation will convert
   // this to '' before it is used.
-  const pathPrefix = returnUrl.pathname.split('/')[0];
+  const pathPrefix = returnUrl.pathname.split('/')[1];
   return _normalizeParams({ returnTo: returnUrl.href, origin, pathPrefix });
 }