romfast/echo-core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): redirect to original URL after login

Browse Source 
Pass current path as ?next= when bouncing unauthenticated requests
to /echo/login; after successful auth, JS reads and validates the
param (must start with /echo/, not /echo/login) before redirecting.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marius Mutu
2026-04-29 13:38:27 +00:00
parent b08f039917
commit 38259f3cfd
2 changed files with 11 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
dashboard/api.py
View File

@@ -10,6 +10,7 @@ import os
import sys import sys
from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer
from pathlib import Path from pathlib import Path
from urllib.parse import quote as _urlquote
# Make dashboard/ importable for the handler submodules (constants, # Make dashboard/ importable for the handler submodules (constants,
# habits_helpers, handlers.*). Tests rely on this as well. # habits_helpers, handlers.*). Tests rely on this as well.
@@ -284,7 +285,8 @@ class TaskBoardHandler(
if fpath.is_file(): if fpath.is_file():
if fpath.name != 'login.html' and not self._check_dashboard_cookie(): if fpath.name != 'login.html' and not self._check_dashboard_cookie():
self.send_response(302) self.send_response(302)
self.send_header('Location', '/echo/login') next_param = _urlquote(self.path, safe='/?=&#')
self.send_header('Location', f'/echo/login?next={next_param}')
self.send_header('Content-Length', '0') self.send_header('Content-Length', '0')
self.end_headers() self.end_headers()
return return

9
dashboard/login.html
View File

@@ -252,7 +252,14 @@
// Browsers auto-follow 302, so a successful login surfaces // Browsers auto-follow 302, so a successful login surfaces
// here as a 2xx (workspace.html) or an opaqueredirect. // here as a 2xx (workspace.html) or an opaqueredirect.
if (res.ok || res.type === 'opaqueredirect' || res.redirected) { if (res.ok || res.type === 'opaqueredirect' || res.redirected) {
var dest = res.url && res.redirected ? res.url : '/echo/workspace.html'; // Redirect back to the page the user originally wanted,
// passed as ?next= by the server. Validate it's a safe
// relative /echo/ path to prevent open-redirect attacks.
var params = new URLSearchParams(window.location.search);
var next = params.get('next') || '';
var dest = (next && /^\/echo\/[^/]/.test(next) && next.indexOf('/echo/login') !== 0)
? next
: '/echo/workspace.html';
window.location.assign(dest); window.location.assign(dest);
return; return;
} }