FIX: Handle missing provider return sso url

FIX: Handle missing provider return sso url

This commit prevents a 500 error from occurring if someone is trying to setup their discourse instance as a sso provider and they don’t pass in a return_sso_url in their payload.

diff --git a/lib/single_sign_on_provider.rb b/lib/single_sign_on_provider.rb
index d97ecdf..a626ffc 100644
--- a/lib/single_sign_on_provider.rb
+++ b/lib/single_sign_on_provider.rb
@@ -19,6 +19,7 @@ class SingleSignOnProvider < SingleSignOn
     decoded = Base64.decode64(parsed["sso"])
     decoded_hash = Rack::Utils.parse_query(decoded)
 
+    raise ParseError unless decoded_hash.key? 'return_sso_url'
     @return_sso_url = decoded_hash['return_sso_url']
   end
 
diff --git a/spec/requests/session_controller_spec.rb b/spec/requests/session_controller_spec.rb
index 49b4d09..dd44d52 100644
--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@@ -1055,6 +1055,13 @@ RSpec.describe SessionController do
         expect(response.body).to eq(I18n.t("sso.missing_secret"))
       end
 
+      it "returns a 422 if no return_sso_url" do
+        SiteSetting.sso_provider_secrets = "abcdefghij"
+        sso = SingleSignOnProvider.new
+        get "/session/sso_provider?sso=asdf&sig=abcdefghij"
+        expect(response.status).to eq(422)
+      end
+
       it "successfully redirects user to return_sso_url when the user is logged in" do
         sign_in(@user)
 

GitHub sha: 4078b228