From 7b55e7e528f3677b7f239f531708af90fbf2174f Mon Sep 17 00:00:00 2001 From: Ali Hamdi Ali Fadel Date: Fri, 10 Jul 2026 23:33:44 +0300 Subject: [PATCH] fix(oauth): resume authorization after sign-up --- app/controllers/users_controller.rb | 2 +- config/initializers/doorkeeper.rb | 10 +++---- .../oauth_authorization_flow_test.rb | 30 +++++++++++++++++++ 3 files changed, 36 insertions(+), 6 deletions(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 920b351..f37e138 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -17,7 +17,7 @@ def create if @user.save start_new_session_for @user - redirect_to pastes_path, status: :see_other, notice: t("users.created") + redirect_to after_authentication_url, status: :see_other, notice: t("users.created") else render :new, status: :unprocessable_entity end diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb index efd8574..cf1fdc5 100644 --- a/config/initializers/doorkeeper.rb +++ b/config/initializers/doorkeeper.rb @@ -15,11 +15,11 @@ resource_owner_authenticator do Session.find_by(id: cookies.signed[Authentication::AUTH_COOKIE_NAME])&.user || begin - # Mirror Authentication#request_authentication: SessionsController#create - # resumes ONLY via session[:return_to_after_authenticating] -- a return_to - # query param would be silently ignored and the OAuth flow would die on - # the dashboard after login. start_new_session_for already carries this - # key across its reset_session call. + # Mirror Authentication#request_authentication: successful sign-in and + # sign-up resume ONLY via session[:return_to_after_authenticating] -- a + # return_to query param would be silently ignored and the OAuth flow would + # die on the dashboard. start_new_session_for already carries this key + # across its reset_session call. session[:return_to_after_authenticating] = request.fullpath redirect_to(new_session_path) end diff --git a/test/integration/oauth_authorization_flow_test.rb b/test/integration/oauth_authorization_flow_test.rb index f40b060..8839e67 100644 --- a/test/integration/oauth_authorization_flow_test.rb +++ b/test/integration/oauth_authorization_flow_test.rb @@ -68,6 +68,36 @@ class OauthAuthorizationFlowTest < ActionDispatch::IntegrationTest assert_select "form input[type=hidden][name=resource][value=?]", CANONICAL_RESOURCE end + test "new user signing up during authorization resumes the full OAuth URL" do + authorize_url = "/oauth/authorize?#{authorize_params.to_query}" + + get authorize_url + assert_response :see_other + assert_redirected_to new_session_path + + # Follow the sign-up link without losing the server-side OAuth return path. + get new_user_path + assert_response :success + + assert_difference "User.count", 1 do + post users_url, params: { + user: { + email_address: "new-mcp-user@example.com", + password: "correct horse battery staple", + password_confirmation: "correct horse battery staple" + } + } + end + + assert_response :see_other + assert_equal authorize_url, URI.parse(response.location).then { |u| "#{u.path}?#{u.query}" } + assert_nil session[:return_to_after_authenticating] + + follow_redirect! + assert_response :success + assert_select "form input[type=hidden][name=resource][value=?]", CANONICAL_RESOURCE + end + test "dynamically registered clients are labeled unverified with their redirect host" do sign_in_as users(:alice) client = oauth_applications(:dynamic_client)