projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a132373)
Make josh_id propagate return_to as a GET parameter, and use that GET
authorWard Vandewege <ward@clinicalfuture.com>
Fri, 25 Jan 2013 17:35:25 +0000 (12:35 -0500)
committerWard Vandewege <ward@clinicalfuture.com>
Fri, 25 Jan 2013 17:35:25 +0000 (12:35 -0500)
parameter instead of session[] when redirecting in create().  Using
session[] is inappropriate: completing a login in browser window A can
cause a token to be sent to a different API client who has requested a
token in window B.

app/controllers/user_sessions_controller.rb patch | blob | history
lib/josh_id.rb patch | blob | history

diff --git a/app/controllers/user_sessions_controller.rb b/app/controllers/user_sessions_controller.rb
index d0b5041b17437004a44022766c06cd4f3daf2bf2..31f691d333dbb951d1547d3b447a0a54b892f824 100644 (file)
--- a/app/controllers/user_sessions_controller.rb
+++ b/app/controllers/user_sessions_controller.rb
@@ -44,8 +44,8 @@ class UserSessionsController < ApplicationController
     session[:api_client_trusted] = true # full permission to see user's secrets
 
     @redirect_to = root_path
-    if session.has_key? :return_to
-      return send_api_token_to(session.delete(:return_to), user)
+    if params.has_key?(:return_to)
+      return send_api_token_to(params[:return_to], user)
     end
     redirect_to @redirect_to
   end
@@ -76,14 +76,9 @@ class UserSessionsController < ApplicationController
       # ask for confirmation here!
 
       send_api_token_to(params[:return_to], current_user)
+    elsif params[:return_to]
+      redirect_to "/auth/joshid?return_to=#{CGI.escape(params[:return_to])}"
     else
-      # TODO: make joshid propagate return_to as a GET parameter, and
-      # use that GET parameter instead of session[] when redirecting
-      # in create().  Using session[] is inappropriate: completing a
-      # login in browser window A can cause a token to be sent to a
-      # different API client who has requested a token in window B.
-
-      session[:return_to] = params[:return_to]
       redirect_to "/auth/joshid"
     end
   end
diff --git a/lib/josh_id.rb b/lib/josh_id.rb
index b47453a7e58cfe1739db9498ff033b6c8317caee..31fba2265785ed4a5261fd6af7c85298f0b6c10f 100644 (file)
--- a/lib/josh_id.rb
+++ b/lib/josh_id.rb
@@ -28,6 +28,10 @@ module OmniAuth
         }
       end
       
+      def callback_url
+        full_host + script_name + callback_path + query_string
+      end
+
       def raw_info
         @raw_info ||= access_token.get("/auth/josh_id/user.json?oauth_token=#{access_token.token}").parsed
       end