Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: 2FA respect after_update param. #7626

Merged
merged 15 commits into from
May 28, 2021
Merged

Conversation

artsyjian
Copy link
Contributor

@artsyjian artsyjian commented May 25, 2021

https://artsyproduct.atlassian.net/browse/PLATFORM-3340

We are going to redirect partners from CMS to Force to setup their 2FA (if they are required to but haven't yet) like so:

https://www.artsy.net/user/edit?after_update=https%3A%2F%2Fcms.artsy.net%3A%2Fauth%2Fartsy#two-factor-authentication

After they finish setting up 2FA, we would like them redirected to the URL encoded in after_update param (back to https://cms.artsy.net/auth/artsy).

This PR adds a 2FA setup completion modal specifically for these users. On completion, they are informed that they will be redirected to after_update URL.

The URL is sanitized to prevent rogue redirects (such as to www.evilsite.com, ...)

Changes to hokusai/development.yml are to get hokusai dev working.

Screenshots of new modal:

Screenshot from 2021-05-25 16-42-09

Screenshot from 2021-05-25 16-44-06

@artsyjian
Copy link
Contributor Author

artsyjian commented May 25, 2021

I would like to add tests to confirm the redirect is triggered. Are there existing tests I can borrow from?

Copy link
Member

@damassi damassi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is really nice work @artsyjian 💯

Since there's so much new logic, thoughts on adding some tests to cover it?

Copy link
Contributor

@joeyAghion joeyAghion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great!

Edit: The combination of "after update," "on complete," and "redirect to" labels got a little confusing. Maybe after_update should just become on_complete? I'm open to alternatives too. (Minor.)

hokusai/development.yml Show resolved Hide resolved
if (afterUpdateURL) {
const sanitizedURL = sanitizeRedirect(afterUpdateURL)

// a '/' means URL is bad
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Surprising... what if a caller was trying to redirect to the root page?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure. shall test.

Copy link
Contributor Author

@artsyjian artsyjian May 26, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested. if after_update points to /:

http://localhost:5000/user/edit?after_update=%2F#two-factor-authentication

sanitize_redirect returns / which causes afterUpdateRedirect to return empty string, so the old Log back in modal is displayed. I think this is desired behavior?

if after_update is a relative path other than /, say /foo:

http://localhost:5000/user/edit?after_update=%2Ffoo#two-factor-authentication

sanitize_redirect returns /foo which does cause the redirect modal to show which displays no target hostname (b/c /foo is relative), and clicking OK takes one to localhost:5000/foo.

It looks like we should ensure after_update has an absolute URL?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This case is totally fine with the special / meaning. I was just surprised it operated that way generally for artsy-passport's other cases.

Ideally the new after_update param would accept either absolute or relative URLs, but you're right that the modal's copy would need to change in that case. In the case of relative redirects, I'd be fine if it just didn't say the "you'll be redirected..." bit.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

revised. now, the presence of after_update param always cause the redirect modal to show. if the redir url is absolute, the modal shows You will be redirected to: <host>. if the url is relative (/, /foo, ...), the modal omits You will be redirected... and it will only say You’ve successfully set up two-factor authentication! and clicking OK will still redirect to that relative url.

}
}

return ''
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm following the logic correctly, returning blank here means the if(redirectTo) ... checks above will be false, so the non-redirecting modal will display, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, that's the intent, but..yeah, it's kinda confusing.

@artsyjian
Copy link
Contributor Author

Since there's so much new logic, thoughts on adding some tests to cover it?
Thanks @damassi. Definitely should include tests. I will holler if I need help.

@joeyAghion joeyAghion merged commit 3009439 into master May 28, 2021
@joeyAghion joeyAghion deleted the artsyjian/after-update-redir branch May 28, 2021 18:31
@artsy-peril artsy-peril bot mentioned this pull request May 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants