FIX: Correctly redirect after external login on subfolder sites (#10529)

FIX: Correctly redirect after external login on subfolder sites (#10529)

diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index fff323a..674c39b 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -32,7 +32,7 @@ class Users::OmniauthCallbacksController < ApplicationController
       # Save to redis, with a secret token, then redirect to confirmation screen
       token = SecureRandom.hex
       Discourse.redis.setex "#{Users::AssociateAccountsController::REDIS_PREFIX}_#{current_user.id}_#{token}", 10.minutes, auth.to_json
-      return redirect_to Discourse.base_uri("/associate/#{token}")
+      return redirect_to "#{Discourse.base_uri}/associate/#{token}"
     else
       @auth_result = authenticator.after_authenticate(auth)
       DiscourseEvent.trigger(:after_auth, authenticator, @auth_result)
@@ -55,7 +55,7 @@ class Users::OmniauthCallbacksController < ApplicationController
 
       if parsed && # Valid
          (parsed.host == nil || parsed.host == Discourse.current_hostname) && # Local
-         !parsed.path.starts_with?(Discourse.base_uri("/auth/")) # Not /auth URL
+         !parsed.path.starts_with?("#{Discourse.base_uri}/auth/") # Not /auth URL
         @origin = +"#{parsed.path}"
         @origin << "?#{parsed.query}" if parsed.query
       end
diff --git a/spec/requests/omniauth_callbacks_controller_spec.rb b/spec/requests/omniauth_callbacks_controller_spec.rb
index ed449ba..bb18d34 100644
--- a/spec/requests/omniauth_callbacks_controller_spec.rb
+++ b/spec/requests/omniauth_callbacks_controller_spec.rb
@@ -545,6 +545,19 @@ RSpec.describe Users::OmniauthCallbacksController do
           expect(cookie_data["destination_url"]).to eq('/t/123')
         end
 
+        it "redirects to internal origin on subfolder" do
+          set_subfolder "/subpath"
+
+          post "/auth/google_oauth2?origin=http://test.localhost/subpath/t/123"
+          get "/auth/google_oauth2/callback"
+
+          expect(response.status).to eq 302
+          expect(response.location).to eq "http://test.localhost/subpath/t/123"
+
+          cookie_data = JSON.parse(response.cookies['authentication_data'])
+          expect(cookie_data["destination_url"]).to eq('/subpath/t/123')
+        end
+
         it "never redirects to /auth/ origin" do
           post "/auth/google_oauth2?origin=http://test.localhost/auth/google_oauth2"
           get "/auth/google_oauth2/callback"
@@ -556,6 +569,19 @@ RSpec.describe Users::OmniauthCallbacksController do
           expect(cookie_data["destination_url"]).to eq('/')
         end
 
+        it "never redirects to /auth/ origin on subfolder" do
+          set_subfolder "/subpath"
+
+          post "/auth/google_oauth2?origin=http://test.localhost/subpath/auth/google_oauth2"
+          get "/auth/google_oauth2/callback"
+
+          expect(response.status).to eq 302
+          expect(response.location).to eq "http://test.localhost/subpath"
+
+          cookie_data = JSON.parse(response.cookies['authentication_data'])
+          expect(cookie_data["destination_url"]).to eq('/subpath')
+        end
+
         it "redirects to relative origin" do
           post "/auth/google_oauth2?origin=/t/123"
           get "/auth/google_oauth2/callback"

GitHub sha: 4351fa43

This commit appears in #10529 which was merged by davidtaylorhq.