Allow sdk redirect on settings actions authgear#3813

IniZio · Feb 22, 2024 · f675193 · f675193
1 parent 9a46455
commit f675193
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 5 deletions.
diff --git a/pkg/auth/handler/webapp/settings_change_password.go b/pkg/auth/handler/webapp/settings_change_password.go
@@ -75,7 +75,7 @@ func (h *SettingsChangePasswordHandler) ServeHTTP(w http.ResponseWriter, r *http
 	ctrl.PostAction("", func() error {
 		userID := ctrl.RequireUserID()
 		opts := webapp.SessionOptions{
-			RedirectURI: "/settings",
+			RedirectURI: webapp.DeriveSettingsRedirectURIFromRequest(r, "/settings"),
 		}
 		intent := intents.NewIntentChangePrimaryPassword(userID)
 		result, err := ctrl.EntryPointPost(opts, intent, func() (input interface{}, err error) {

diff --git a/pkg/auth/handler/webapp/settings_change_secondary_password.go b/pkg/auth/handler/webapp/settings_change_secondary_password.go
@@ -73,7 +73,7 @@ func (h *SettingsChangeSecondaryPasswordHandler) ServeHTTP(w http.ResponseWriter
 	ctrl.PostAction("", func() error {
 		userID := ctrl.RequireUserID()
 		opts := webapp.SessionOptions{
-			RedirectURI: "/settings",
+			RedirectURI: webapp.DeriveSettingsRedirectURIFromRequest(r, "/settings"),
 		}
 		intent := intents.NewIntentChangeSecondaryPassword(userID)
 

diff --git a/pkg/auth/handler/webapp/settings_profile_edit.go b/pkg/auth/handler/webapp/settings_profile_edit.go
@@ -116,7 +116,7 @@ func (h *SettingsProfileEditHandler) ServeHTTP(w http.ResponseWriter, r *http.Re
 			}
 		}
 
-		result := webapp.Result{RedirectURI: "/settings/profile"}
+		result := webapp.Result{RedirectURI: webapp.DeriveSettingsRedirectURIFromRequest(r, "/settings/profile")}
 		result.WriteResponse(w, r)
 		return nil
 	})

diff --git a/pkg/auth/webapp/redirect.go b/pkg/auth/webapp/redirect.go
@@ -7,6 +7,10 @@ import (
 	"github.com/authgear/authgear-server/pkg/util/httputil"
 )
 
+var reservedRedirectURIs = []string{
+	"authgearsdk://host/path", // For Authgear SDK only, used for closing the webview
+}
+
 func GetRedirectURI(r *http.Request, trustProxy bool, defaultURI string) string {
 	redirectURI, err := httputil.GetRedirectURI(r, trustProxy)
 	if err != nil {
@@ -19,6 +23,42 @@ type OAuthClientResolver interface {
 	ResolveClient(clientID string) *config.OAuthClientConfig
 }
 
+func DeriveSettingsRedirectURIFromRequest(r *http.Request, defaultURI string) string {
+	// 1. Redirect URL in query param (must be whitelisted)
+	// 2. Default redirect URL
+	// 3. `/settings`
+	redirectURIFromQuery := func() string {
+		redirectURI := r.URL.Query().Get("redirect_uri")
+		allowed := false
+
+		for _, u := range reservedRedirectURIs {
+			if u == redirectURI {
+				allowed = true
+				break
+			}
+		}
+
+		// 1. Redirect URL in query param (must be whitelisted)
+		if allowed && redirectURI != "" {
+			return redirectURI
+		}
+
+		return ""
+	}()
+
+	if redirectURIFromQuery != "" {
+		return redirectURIFromQuery
+	}
+
+	// 2. Default redirect URL
+	if defaultURI != "" {
+		return defaultURI
+	}
+
+	// 3. `/settings`
+	return "/settings"
+}
+
 func DerivePostLoginRedirectURIFromRequest(r *http.Request, clientResolver OAuthClientResolver, uiConfig *config.UIConfig) string {
 	// 1. Redirect URL in query param (must be whitelisted)
 	// 2. Default redirect URL of the client
@@ -38,7 +78,7 @@ func DerivePostLoginRedirectURIFromRequest(r *http.Request, clientResolver OAuth
 		allowedURIs := client.RedirectURIs
 		allowed := false
 
-		for _, u := range allowedURIs {
+		for _, u := range append(reservedRedirectURIs, allowedURIs...) {
 			if u == redirectURI {
 				allowed = true
 				break

diff --git a/pkg/auth/webapp/service2.go b/pkg/auth/webapp/service2.go
@@ -504,7 +504,7 @@ func (s *Service2) afterPost(
 			result.NavigationAction = "replace"
 		}
 	}
-	s.Logger.Debugf("interaction: redirect to" + result.RedirectURI)
+	s.Logger.Debugf("interaction: redirect to %s", result.RedirectURI)
 
 	// Collect extras
 	session.Extra = collectExtras(graph.CurrentNode())