Redirect to index on auth-failure if user not logged in (fixes #192)
Change-Id: Ifc38d975542b6b30fa2b4bae6d5753d80be4e642
diff --git a/Changes b/Changes
index ce00b06..5487ca9 100755
--- a/Changes
+++ b/Changes
@@ -25,8 +25,10 @@
- Improve security of OAuth redirects. (diewald)
- Improve error handling for non-redirect error responses.
(diewald)
- - Fix Gruntfile to copy css files after sass
+ - Fix Gruntfile to copy css files after sass.
(fixes #184; diewald)
+ - Redirect to index on authorization failure,
+ in case user is not logged in. (fixes #192; diewald)
WARNING: Mojolicious 9.31 is a security update -
updating is highly recommended.
diff --git a/lib/Kalamar/Plugin/Auth.pm b/lib/Kalamar/Plugin/Auth.pm
index 75d231f..80422ab 100644
--- a/lib/Kalamar/Plugin/Auth.pm
+++ b/lib/Kalamar/Plugin/Auth.pm
@@ -1152,7 +1152,9 @@
else {
$c->notify(error => $c->loc('Auth_paramError'));
};
- return $c->redirect_to('oauth-settings');
+
+ # If logged in, go to oauth settings - otherwise to index
+ return $c->redirect_to($c->auth->token ? 'oauth-settings' : 'index');
};
foreach (qw!scope client_id state redirect_uri!) {
@@ -1213,7 +1215,9 @@
# Redirect unknown
else {
$c->notify(error => 'redirect_uri not set');
- return $c->redirect_to('oauth-settings');
+
+ # If logged in, go to oauth settings - otherwise to index
+ return $c->redirect_to($c->auth->token ? 'oauth-settings' : 'index');
};
# No userinfo allowed
@@ -1246,7 +1250,9 @@
sub {
my $error = shift;
$c->notify(error => $error);
- return $c->redirect_to('oauth-settings');
+
+ # If logged in, go to oauth settings - otherwise to index
+ return $c->redirect_to($c->auth->token ? 'oauth-settings' : 'index');
}
);
}
@@ -1275,7 +1281,8 @@
# Render with error
if ($v->has_error) {
- my $url = $c->url_for('oauth-settings');
+ # If logged in, go to oauth settings - otherwise to index
+ my $url = $c->url_for($c->auth->token ? 'oauth-settings' : 'index');
if ($v->has_error('client_id')) {
$url->query([error_description => $c->loc('Auth_clientIDFail')]);
@@ -1360,7 +1367,9 @@
# Do not redirect!
else {
$c->notify(error => $err_msg);
- $url = $c->url_for('oauth-settings');
+
+ # If logged in, go to oauth settings - otherwise to index
+ $url = $c->url_for($c->auth->token ? 'oauth-settings' : 'index');
};
return Mojo::Promise->resolve($url);
diff --git a/t/plugin/auth-oauth.t b/t/plugin/auth-oauth.t
index 67ddedd..3e5b78c 100644
--- a/t/plugin/auth-oauth.t
+++ b/t/plugin/auth-oauth.t
@@ -811,12 +811,26 @@
->session_hasnt('/user')
->header_is('Location' => '/');
-$csrf = $t->get_ok('/')
+$t->get_ok('/')
->status_is(200)
->element_exists_not('div.notify-error')
->element_exists('div.notify-success')
->text_is('div.notify-success', 'Logout successful')
->element_exists("input[name=handle_or_email]")
+ ;
+
+# OAuth client authorization flow - but user not logged in
+$t->get_ok(Mojo::URL->new('/settings/oauth/authorize'))
+ ->status_is(302)
+ ->header_is('location','/')
+ ;
+
+$csrf = $t->get_ok('/')
+ ->status_is(200)
+ ->element_exists('div.notify-error')
+ ->element_exists_not('div.notify-success')
+ ->text_is('div.notify-error', 'Client ID required')
+ ->element_exists("input[name=handle_or_email]")
->tx->res->dom->at('input[name=csrf_token]')->attr('value')
;