Pode
Pode copied to clipboard
Badgerati
Add-PodeAuth -SuccessUseOrigin doesn't redirect to requested site
Describe the Bug
Experienced this particular issue while using Azure AD, single sign on, global authentication.
The bug affects only the very first login (where I guess there's no session, or it expired). When accessing a specific page, e.g. https://example.com/cat-facts after successful authentication redirects to https://example.com/ - so user would either need to manually open desired page, or click link second time.
Steps To Reproduce
- Use Add-PodeAuth -SuccessUseOrigin
- Go to https://example.com/cat-facts
- You're being redirected to https://example.com/
Expected Behaviour
Ideally, Pode would "remember" originating site, redirect to it after successful authentication. Going to https://example.com/cat-facts would in fact redirect to https://example.com/cat-facts after initial successful authentication.
Platform
- OS: [Windows]
- Browser: [Egdgei]
- Versions:
- Pode: [Pode v2.7.1]
- PodeWeb: [0.8.1]
- PowerShell: [PS5.1]
I just ran into what I think is this bug today. When I'm using azureAD for auth with -successuseorigin it redirects back to http://localhost:8081/oauth2/callback?code=
Also on pode 2.7.1 and windows powershell 5.1
Hey @thekamilpro, @robertfshort,
I think I might have just fixed this one as a part of #1036 - as redirecting now seems to work OK for me.
Would either of you be in a position to test what's currently in the develop branch, and see if redirecting now works for yourselves?
If you can't get develop to build locally, I believe changing the line locally at https://github.com/Badgerati/Pode/blob/8aa7c2b220a1a86bb9732148834f7821ada15a28/src/Private/Authentication.ps1#L1345 to be just if ($Success.UseOrigin) { should work 🤔
Thanks! 😄
I'm having the same issue as @thekamilpro while trying to use the -SuccessUseOrigin switch with Add-PodeAuth. I also tried modifying line 1345 of Pode/src/Private/Authentication.ps1:
if ($Success.UseOrigin -and ($WebEvent.Method -ieq 'get')) { to be just if ($Success.UseOrigin) {
However, the issue persisted.
Platform
- Pode Host: [Ubuntu 22.04]
- Powershell: [7.3.0]
- Pode Module: [2.7.2]
- Client Browser: [Edge v109.0.1518.55]
Hey @thekamilpro, @robpitcher,
I might have found the issue: the redirecturl cookie wasn't being set when the redirect for oauth occurred.
Along with the change stated in my previous comment, you'll also need to add the following lines:
if ($auth.Success.UseOrigin -and ($WebEvent.Method -ieq 'get')) {
$null = Set-PodeCookie -Name 'pode.redirecturl' -Value $WebEvent.Request.Url.PathAndQuery
}
to just before this line (still within the if ($result.IsRedirected)):
https://github.com/Badgerati/Pode/blob/8aa7c2b220a1a86bb9732148834f7821ada15a28/src/Private/Authentication.ps1#L1182
I was able to reproduce the issue, and with the above lines the redirecting to the originating page now works for me.
If you're able to test this, let me know what happens 😄
So I'm now seeing the pode.redirecturl cookie is being set, but it still doesn't redirect as expected. I tested a workaround by adding some logic to the scriptblock of route /oauth2/callback to handle the redirect and this worked:
Add-PodeRoute -Method Get -Path '/oauth2/callback' -Authentication Login -ScriptBlock {
$originPage = Get-PodeCookie -Name 'pode.redirecturl'
Move-PodeResponseUrl -Url $originPage.value
}
Hi @robpitcher,
That's interesting, because that's the same logic Pode uses to do the redirecting directly within authentication 🤔
Are you able to show more of your script - mostly the lines where you add the auth/scheme?
@Badgerati yes, here's the full auth/scheme setup:
Enable-PodeSessionMiddleware -Duration 120 -Extend
$scheme = New-PodeAuthAzureADScheme -ClientID 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' -ClientSecret 'xxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxx' -Tenant 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' -RedirectUrl https://api.mydomain.com/oauth2/callback
$scheme | Add-PodeAuth -Name 'Login' -SuccessUseOrigin -ScriptBlock {
param($user, $accessToken, $refreshToken, $response)
# check if the user is valid
return @{ User = $user }
}
@robpitcher,
I might have found something, what happens if you set -SuccessUrl '/' (or any random path in theory, since we're redirecting to the origin) on your Add-PodeAuth?
what happens if you set
-SuccessUrl '/'(or any random path in theory, since we're redirecting to the origin) on yourAdd-PodeAuth?
So I tested this and the result was that I was redirected to the SuccessUrl regardless of origin. Tested this on Pode v2.8.0.
Looks like this issue still exists in 2.10.1
I tried setting up a custom callback as @robpitcher suggested, but get a 500 error. Did the change to set the redirection cookie ever make it into the base version of PODE or do I need to go make the changes @Badgerati noted above? Alternatively is there something I can add to my code to set that cookie rather than having to modify the base PODE files?
start-podeserver {
add-podeendpoint -address * -hostname localhost -port 8081 -protocol http
enable-podesessionmiddleware -duration 1200 -extend
$scheme = New-PodeAuthAzureADScheme @azureauth -RedirectUrl '/callback'
$scheme | Add-PodeAuth -Name 'Login' -FailureUrl '/loginfailure' -Successuseorigin -ScriptBlock {
param($user, $accessToken, $refreshToken, $response)
$id_token=convertfrom-podejwt -token $response.id_token -IgnoreSignature
$user|add-member -NotePropertyName 'roles' -NotePropertyValue $id_token
return @{User = $user}
}
Add-PodeRoute -Method Get -Path '/' -ScriptBlock {
$html=@"
Page Name: $($webevent.path)<br>
Session data: Username: $($webevent.session.data.auth.user.name) Email: $($webevent.session.data.auth.user.email)<br>
<br>
<a href="/">index page</a><br>
<a href="/locked">auth-required page</a><br>
<a href="/login">login page</a><br>
<a href="/docs">API Documentation Page</a><br>
<br>
"@
$webevent|out-default
write-podehtmlresponse -value $html
}
Add-PodeRoute -Method Get -Path '/locked' -Authentication Login -scriptblock{
$html=@"
Page Name: $($webevent.path)<br>
Session data: Username: $($webevent.session.data.auth.user.name) Email: $($webevent.session.data.auth.user.email)<br>
<br>
<a href="/">index page</a><br>
<a href="/locked">auth-required page</a><br>
<a href="/login">login page</a><br>
<a href="/docs">API Documentation Page</a><br>
<br>
"@
$webevent|out-default
write-podehtmlresponse -value $html
}
Add-PodeRoute -Method Get -Path '/loginfailure' -Authentication Login -scriptblock{
$html=@"
Page Name: $($webevent.path)<br>
Session data: Username: $($webevent.session.data.auth.user.name) Email: $($webevent.session.data.auth.user.email)<br>
<br>
<a href="/">index page</a><br>
<a href="/locked">auth-required page</a><br>
<a href="/login">login page</a><br>
<a href="/docs">API Documentation Page</a><br>
<br>
"@
$webevent|out-default
write-podehtmlresponse -value $html
}
# login - this will just redirect to azure
Add-PodeRoute -Method Get -Path '/login' -Authentication Login
# logout
Add-PodeRoute -Method post -Path '/logout' -Authentication Login -Logout -scriptblock{
move-poderesponseurl -url '/'
}
Add-PodeRoute -Method Get -Path '/callback' -Authentication Login -ScriptBlock {
Get-PodeCookie -Name 'pode.redirecturl'|out-default
$originPage = Get-PodeCookie -Name 'pode.redirecturl'
Move-PodeResponseUrl -Url $originPage.value
}
Enable-podeopenapi -path '/docs/openapi' -DisableMinimalDefinitions #-EnableSchemaValidation
add-podeOAInfo -title 'API Docs' -Version 1.0.0 -description "Documentation"
#write-podehost "Enabling openapi viewers"
enable-podeopenapiviewer -type swagger -path '/docs/swagger'
enable-podeopenapiviewer -type redoc -path '/docs/redoc'
enable-podeopenapiviewer -bookmarks -path '/docs'
}
Hi @robertfshort,
The redirect code above wasn't added in, I actually thought I had!
The authentication logic has changed quite a bit since the line changes referenced above were suggested, so I'll need to go back and see if anything needs re-implementing.