Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion app/controllers/users_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ def create

if @user.save
start_new_session_for @user
redirect_to pastes_path, status: :see_other, notice: t("users.created")
redirect_to after_authentication_url, status: :see_other, notice: t("users.created")
else
render :new, status: :unprocessable_entity
end
Expand Down
10 changes: 5 additions & 5 deletions config/initializers/doorkeeper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@

resource_owner_authenticator do
Session.find_by(id: cookies.signed[Authentication::AUTH_COOKIE_NAME])&.user || begin
# Mirror Authentication#request_authentication: SessionsController#create
# resumes ONLY via session[:return_to_after_authenticating] -- a return_to
# query param would be silently ignored and the OAuth flow would die on
# the dashboard after login. start_new_session_for already carries this
# key across its reset_session call.
# Mirror Authentication#request_authentication: successful sign-in and
# sign-up resume ONLY via session[:return_to_after_authenticating] -- a
# return_to query param would be silently ignored and the OAuth flow would
# die on the dashboard. start_new_session_for already carries this key
# across its reset_session call.
session[:return_to_after_authenticating] = request.fullpath
redirect_to(new_session_path)
end
Expand Down
30 changes: 30 additions & 0 deletions test/integration/oauth_authorization_flow_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,36 @@ class OauthAuthorizationFlowTest < ActionDispatch::IntegrationTest
assert_select "form input[type=hidden][name=resource][value=?]", CANONICAL_RESOURCE
end

test "new user signing up during authorization resumes the full OAuth URL" do
authorize_url = "/oauth/authorize?#{authorize_params.to_query}"

get authorize_url
assert_response :see_other
assert_redirected_to new_session_path

# Follow the sign-up link without losing the server-side OAuth return path.
get new_user_path
assert_response :success

assert_difference "User.count", 1 do
post users_url, params: {
user: {
email_address: "new-mcp-user@example.com",
password: "correct horse battery staple",
password_confirmation: "correct horse battery staple"
}
}
end

assert_response :see_other
assert_equal authorize_url, URI.parse(response.location).then { |u| "#{u.path}?#{u.query}" }
assert_nil session[:return_to_after_authenticating]

follow_redirect!
assert_response :success
assert_select "form input[type=hidden][name=resource][value=?]", CANONICAL_RESOURCE
end

test "dynamically registered clients are labeled unverified with their redirect host" do
sign_in_as users(:alice)
client = oauth_applications(:dynamic_client)
Expand Down
Loading