devise icon indicating copy to clipboard operation
devise copied to clipboard

Published 20 hours ago verified publisher icon heartcombo

Return URL only storing path?

Open aaricpittman opened this issue 2 years ago • 3 comments

What is the reasoning behind only storing the path for the x_return_to, store_location.rb

I've got a use case where the user's original request is on a different subdomain than where they sign in. And because Devise strips off the domain, after authentication the user gets redirected to the path on the authentication subdomain rather than the originally requested subdomain and gets an error.

Environment

  • Ruby 2.7.5p203
  • Rails 6.1.7
  • Devise 4.8.1

aaricpittman avatar Nov 28 '22 15:11 aaricpittman

The original commit isn't very clear 0582467032dcf25dd26f460dfef1b1edbaf65608 and the related changelog not much helpful either, but I am guessing it was to make sure it was safer against open redirects to other domains, should something "bad" were to get stored there for a later redirect. (e.g. a user controlled param of some sort)

Maybe we never considered a use case of redirecting to the same "domain" but another "subdomain" though. Do you control the call to store_location, or are you relying on Devise internals entirely for that? I could potentially see exposing an option a-la Rails allow_other_host option from redirect_to, but I am not sure how to make something like that work by default within Devise off the top of my head right now, would probably need to do some more digging.

carlosantoniodasilva avatar Feb 09 '23 21:02 carlosantoniodasilva

I'm facing a similar problem. Is there a workaround? I have tried something like:


  def after_sign_out_path_for(_resource)
    # Attempt 1
    root_url(subdomain: nil)
    # error out with: 
    # Unsafe redirect to "http://lvh.me:3000/", pass allow_other_host: true to redirect anyway.


    # Attempt 2
    redirect_to(root_url(subdomain: nil), allow_other_host: true); return
    # error out with: 
    # Render and/or redirect were called multiple times in this action. Please note that you may only call render OR redirect, and at most once per action. Also note that neither redirect nor render terminate execution of the action, so if you want to exit an action after redirecting, you need to do something like "redirect_to(...); return".
  end

But I haven't figured it out.

yorsant avatar Oct 12 '23 20:10 yorsant

@yorsant I think your issue is different, as it's not related to storing the URL for later retrieval during login / redirect afterwards.

You might need to override this method on your own sessions controller to do the redirect yourself, adding allow_other_host. If that doesn't work, please open a separate issue.

carlosantoniodasilva avatar Oct 12 '23 20:10 carlosantoniodasilva