Dashboard: Fixes kiosk state after being redirected to login page and back (#29273)

* Login: Fixes issue where url parameters where modified by golang url code * Add tests * Fix test cases * Update pkg/middleware/auth_test.go Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> * fixed formatting Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>

Dashboard: Fixes kiosk state after being redirected to login page and back (#29273)
* Login: Fixes issue where url parameters where modified by golang url code * Add tests * Fix test cases * Update pkg/middleware/auth_test.go Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> * fixed formatting Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
1076f475 · Torkel Ödegaard · GitHub · 702cb908 · 1076f475 · 1076f475
Commit 1076f475 authored Nov 20, 2020 by Torkel Ödegaard Committed by GitHub Nov 20, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 9 deletions

pkg/middleware/auth.go
+11 -9

pkg/middleware/auth_test.go
+21 -0

No files found.
--- a/pkg/middleware/auth.go
+++ b/pkg/middleware/auth.go
@@ -2,6 +2,7 @@ package middleware

 import (
 	"net/url"
+	"regexp"
 	"strconv"
 	"strings"

@@ -53,18 +54,19 @@ func notAuthorized(c *models.ReqContext) {
 		redirectTo = setting.AppSubUrl + c.Req.RequestURI
 	}

-	// remove forceLogin query param if it exists
-	if parsed, err := url.ParseRequestURI(redirectTo); err == nil {
-		params := parsed.Query()
-		params.Del("forceLogin")
-		parsed.RawQuery = params.Encode()
-		WriteCookie(c.Resp, "redirect_to", url.QueryEscape(parsed.String()), 0, newCookieOptions)
-	} else {
-		c.Logger.Debug("Failed parsing request URI; redirect cookie will not be set", "redirectTo", redirectTo, "error", err)
-	}
+	// remove any forceLogin=true params
+	redirectTo = removeForceLoginParams(redirectTo)
+
+	WriteCookie(c.Resp, "redirect_to", url.QueryEscape(redirectTo), 0, newCookieOptions)
 	c.Redirect(setting.AppSubUrl + "/login")
 }

+var forceLoginParamsRegexp = regexp.MustCompile(`&?forceLogin=true`)
+
+func removeForceLoginParams(str string) string {
+	return forceLoginParamsRegexp.ReplaceAllString(str, "")
+}
+
 func EnsureEditorOrViewerCanEdit(c *models.ReqContext) {
 	if !c.SignedInUser.HasRole(models.ROLE_EDITOR) && !setting.ViewersCanEdit {
 		accessForbidden(c)

--- a/pkg/middleware/auth_test.go
+++ b/pkg/middleware/auth_test.go
 package middleware

 import (
+	"fmt"
 	"testing"

 	"github.com/grafana/grafana/pkg/bus"
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/setting"
+	"github.com/stretchr/testify/require"

 	. "github.com/smartystreets/goconvey/convey"
 )
@@ -104,3 +106,22 @@ func TestMiddlewareAuth(t *testing.T) {
 		})
 	})
 }
+
+func TestRemoveForceLoginparams(t *testing.T) {
+	tcs := []struct {
+		inp string
+		exp string
+	}{
+		{inp: "/?forceLogin=true", exp: "/?"},
+		{inp: "/d/dash/dash-title?ordId=1&forceLogin=true", exp: "/d/dash/dash-title?ordId=1"},
+		{inp: "/?kiosk&forceLogin=true", exp: "/?kiosk"},
+		{inp: "/d/dash/dash-title?ordId=1&kiosk&forceLogin=true", exp: "/d/dash/dash-title?ordId=1&kiosk"},
+		{inp: "/d/dash/dash-title?ordId=1&forceLogin=true&kiosk", exp: "/d/dash/dash-title?ordId=1&kiosk"},
+		{inp: "/d/dash/dash-title?forceLogin=true&kiosk", exp: "/d/dash/dash-title?&kiosk"},
+	}
+	for i, tc := range tcs {
+		t.Run(fmt.Sprintf("testcase %d", i), func(t *testing.T) {
+			require.Equal(t, tc.exp, removeForceLoginParams(tc.inp))
+		})
+	}
+}