Fix confirmation redirect to app without Location header (#18523)

This commit is contained in:
Eugen Rochko 2022-05-26 22:03:54 +02:00 committed by GitHub
parent 3e0e7a1cfb
commit 96129c2f10
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 1 deletions

View file

@ -40,7 +40,7 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
def after_confirmation_path_for(_resource_name, user) def after_confirmation_path_for(_resource_name, user)
if user.created_by_application && truthy_param?(:redirect_to_app) if user.created_by_application && truthy_param?(:redirect_to_app)
user.created_by_application.redirect_uri user.created_by_application.confirmation_redirect_uri
else else
super super
end end

View file

@ -12,4 +12,8 @@ module ApplicationExtension
def most_recently_used_access_token def most_recently_used_access_token
@most_recently_used_access_token ||= access_tokens.where.not(last_used_at: nil).order(last_used_at: :desc).first @most_recently_used_access_token ||= access_tokens.where.not(last_used_at: nil).order(last_used_at: :desc).first
end end
def confirmation_redirect_uri
redirect_uri.lines.first.strip
end
end end

View file

@ -128,6 +128,13 @@ Doorkeeper.configure do
# #
force_ssl_in_redirect_uri false force_ssl_in_redirect_uri false
# Specify what redirect URI's you want to block during Application creation.
# Any redirect URI is whitelisted by default.
#
# You can use this option in order to forbid URI's with 'javascript' scheme
# for example.
forbid_redirect_uri { |uri| %w[data vbscript javascript].include?(uri.scheme.to_s.downcase) }
# Specify what grant flows are enabled in array of Strings. The valid # Specify what grant flows are enabled in array of Strings. The valid
# strings and the flows they enable are: # strings and the flows they enable are:
# #