server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon nextcloud

fix(auth): preserve redirect URL after logout

Open ChristophWurst opened this issue 7 months ago • 7 comments

  • Resolves: https://github.com/nextcloud/server/issues/52908

Summary

Preserve the redirect URL. This is mostly helpful for the client login flow.

How to test

  1. Set up 2FA
  2. Log in
  3. Navigate to /apps/files -> you get redirected to login
  4. Log in with your password
  5. Click Cancel logout at the 2FA pages
  6. Log in again with password
  7. Complete the 2FA challenge

master: you see the dashboard (default app) here: you see the files app

TODO

  • [x] Do

Checklist

ChristophWurst avatar May 21 '25 07:05 ChristophWurst

  • Set up 2FA
  • Log in
  • Navigate to /apps/files -> you get redirected to login
  • Log in with your password
  • Click Cancel logout at the 2FA pages
  • Log in again with password
  • Complete the 2FA challenge

It reads like you mixed up words. Don't you mean it like this? 🤔

  1. Set up 2FA
  2. Log out
  3. Navigate to /apps/files -> you get redirected to login
  4. Log in with your password
  5. Click "cancel login" at the 2FA page
  6. Log in again with password
  7. Complete the 2FA challenge

i2h3 avatar May 22 '25 08:05 i2h3

Correct. My bad.

ChristophWurst avatar May 22 '25 08:05 ChristophWurst

It does not work completely. But this might be a valuable lead to the solution of another problem we are currently facing and you probably remember: the mismatching status token (@mpivchev might care). I do exactly as the instructions say and then I end up at the error page which states exactly that.

https://github.com/user-attachments/assets/8d913fb7-884f-4b5e-b422-bcb0a94995de

Setup

  • szaimen/nextcloud-easy-test with this fix/auth/logout-redirect-url branch.
  • iOS 18.4 Simulator.
  • Latest master of iOS app deployed directly from Xcode Version 16.3 (16E140) to the Simulator.

i2h3 avatar May 22 '25 09:05 i2h3

Cool, I'll have a look at that

ChristophWurst avatar May 22 '25 09:05 ChristophWurst

~~The problem is the restarting of the PHP session during login. This clears all previous values.~~

~~In more detail: we store the token of GET /login/v2/flow/{token} in the session, then go to login (or skip if for existing sessions) and finally go to the grant page. If the user was already logged in, the session remains the same. For login there will be a fresh session, which doesn't have the token.~~

~~What puzzles me is that the code is 6 years old. The landing page was always a "public page", making it accessible before authentication. Either this never worked, or we had a mechanism to preserve session values at login, which no longer works.~~

Found a case where login is not an issue. Digging deeper.

ChristophWurst avatar May 26 '25 07:05 ChristophWurst

@ChristophWurst How can the fix for the redirect URL preservation proceed? I just ran into this myself moments ago with our corporate instance. I would suggest to decouple the state token issue into a different pull request.

i2h3 avatar Jun 16 '25 11:06 i2h3

There is nothing specific to state tokens in this PR. It handles redirect URLs generically for logout.

ChristophWurst avatar Jun 16 '25 12:06 ChristophWurst

I was not referring to the state tokens but the retention of the redirect URL. This is a valid fix for a confirmed (other) problem. Hence the question: why wait for the state token affair?

i2h3 avatar Jun 16 '25 19:06 i2h3

Yes, true

ChristophWurst avatar Jun 17 '25 12:06 ChristophWurst