fix(auth): redirect to original URL after login
Pass current path as ?next= when bouncing unauthenticated requests to /echo/login; after successful auth, JS reads and validates the param (must start with /echo/, not /echo/login) before redirecting. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -10,6 +10,7 @@ import os
|
||||
import sys
|
||||
from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer
|
||||
from pathlib import Path
|
||||
from urllib.parse import quote as _urlquote
|
||||
|
||||
# Make dashboard/ importable for the handler submodules (constants,
|
||||
# habits_helpers, handlers.*). Tests rely on this as well.
|
||||
@@ -284,7 +285,8 @@ class TaskBoardHandler(
|
||||
if fpath.is_file():
|
||||
if fpath.name != 'login.html' and not self._check_dashboard_cookie():
|
||||
self.send_response(302)
|
||||
self.send_header('Location', '/echo/login')
|
||||
next_param = _urlquote(self.path, safe='/?=&#')
|
||||
self.send_header('Location', f'/echo/login?next={next_param}')
|
||||
self.send_header('Content-Length', '0')
|
||||
self.end_headers()
|
||||
return
|
||||
|
||||
@@ -252,7 +252,14 @@
|
||||
// Browsers auto-follow 302, so a successful login surfaces
|
||||
// here as a 2xx (workspace.html) or an opaqueredirect.
|
||||
if (res.ok || res.type === 'opaqueredirect' || res.redirected) {
|
||||
var dest = res.url && res.redirected ? res.url : '/echo/workspace.html';
|
||||
// Redirect back to the page the user originally wanted,
|
||||
// passed as ?next= by the server. Validate it's a safe
|
||||
// relative /echo/ path to prevent open-redirect attacks.
|
||||
var params = new URLSearchParams(window.location.search);
|
||||
var next = params.get('next') || '';
|
||||
var dest = (next && /^\/echo\/[^/]/.test(next) && next.indexOf('/echo/login') !== 0)
|
||||
? next
|
||||
: '/echo/workspace.html';
|
||||
window.location.assign(dest);
|
||||
return;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user