fix cookieoverflow?

2026-04-19 19:45:08 +00:00 · 2025-11-25 19:08:49 -05:00 · 2025-11-25 19:08:49 -05:00 · 2f67c60cf4
commit 2f67c60cf4
parent 60f6f43174
9 changed files with 29 additions and 25 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -32,14 +32,17 @@ class ApplicationController < ActionController::Base

  def authenticate_identity!
    unless identity_signed_in?
-      session[:return_to] = request.original_url unless request.xhr?
      # JANK ALERT
      hide_some_data_away

      # EW
      return if controller_name == "onboardings"

-      redirect_to welcome_path
+      if request.xhr?
+        redirect_to welcome_path
+      else
+        redirect_to welcome_path(return_to: request.original_url)
+      end
    end
  end

--- a/app/controllers/identities_controller.rb
+++ b/app/controllers/identities_controller.rb
@ -105,7 +105,8 @@ class IdentitiesController < ApplicationController
                identity: @identity,
                authentication_factors: {},
                provenance: "signup",
-                next_action: @onboarding_scenario.next_action.to_s
+                next_action: @onboarding_scenario.next_action.to_s,
+                return_to: @return_to
            )

            # Set browser token cookie for security
@ -119,7 +120,7 @@ class IdentitiesController < ApplicationController
                IdentityMailer.v2_login_code(login_code).deliver_later
            end

-            redirect_to login_attempt_path(id: login_attempt.to_param, return_to: @return_to), status: :see_other
+            redirect_to login_attempt_path(id: login_attempt.to_param), status: :see_other
        else
            render :new, status: :unprocessable_entity
        end
@ -160,8 +161,7 @@ class IdentitiesController < ApplicationController
    end

    def set_return_to
-        session[:return_to] = params[:return_to] if params[:return_to].present?
-        @return_to = session[:return_to]
+        @return_to = params[:return_to] if params[:return_to].present?
    end

    def identity_params
--- a/app/controllers/logins_controller.rb
+++ b/app/controllers/logins_controller.rb
@ -25,7 +25,8 @@ class LoginsController < ApplicationController
            identity: identity,
            authentication_factors: {},
            provenance: "login",
-            next_action: "home"
+            next_action: "home",
+            return_to: @return_to
        )

        # Store fingerprint info in session for later use
@ -43,10 +44,10 @@ class LoginsController < ApplicationController
        }

        send_v2_login_code(identity, attempt)
-        redirect_to login_attempt_path(id: attempt.to_param, return_to: @return_to), status: :see_other
+        redirect_to login_attempt_path(id: attempt.to_param), status: :see_other
    rescue => e
        flash[:error] = e.message
-        redirect_to login_path
+        redirect_to login_path(return_to: @return_to)
    end

    def show
@ -105,7 +106,7 @@ class LoginsController < ApplicationController
    def resend
        send_v2_login_code(@attempt.identity, @attempt)
        flash[:notice] = "A new code has been sent to #{@identity.primary_email}"
-        redirect_to login_attempt_path(id: @attempt.to_param, return_to: params[:return_to]), status: :see_other
+        redirect_to login_attempt_path(id: @attempt.to_param), status: :see_other
    end


@ -195,8 +196,7 @@ class LoginsController < ApplicationController
    end

    def set_return_to
-        session[:return_to] = params[:return_to] if params[:return_to].present?
-        @return_to = session[:return_to]
+        @return_to = params[:return_to] if params[:return_to].present?
    end

    def fingerprint_info
@ -258,7 +258,7 @@ class LoginsController < ApplicationController
            end
        else
        flash[:success] = "Logged in!"
-        safe_return_to = session.delete(:return_to)
+        safe_return_to = @attempt.return_to
        begin
          redirect_to safe_return_to.presence || root_path
        rescue ActionController::Redirecting::UnsafeRedirectError
@ -312,12 +312,11 @@ class LoginsController < ApplicationController

    def redirect_to_next_factor
        available = @attempt.available_factors
-        safe_return_to = url_from(params[:return_to])

        if available.include?(:totp)
-            redirect_to totp_login_attempt_path(id: @attempt.to_param, return_to: safe_return_to), status: :see_other
+            redirect_to totp_login_attempt_path(id: @attempt.to_param), status: :see_other
        elsif available.include?(:backup_code)
-            redirect_to backup_code_login_attempt_path(id: @attempt.to_param, return_to: safe_return_to), status: :see_other
+            redirect_to backup_code_login_attempt_path(id: @attempt.to_param), status: :see_other
        else
            # No available factors - this shouldn't happen
            flash[:error] = "Unable to complete authentication"
--- a/app/controllers/static_pages_controller.rb
+++ b/app/controllers/static_pages_controller.rb
@ -6,12 +6,13 @@ class StaticPagesController < ApplicationController
  end

  def welcome
+    @return_to = params[:return_to]
    render layout: "logged_out"
  end

  def oauth_welcome
    # Extract client_id from the return_to URL
-    @return_to = session[:return_to]
+    @return_to = params[:return_to]
    if @return_to.present?
      uri = URI.parse(@return_to)
      params_hash = URI.decode_www_form(uri.query || "").to_h
--- a/app/views/logins/backup_code.html.erb
+++ b/app/views/logins/backup_code.html.erb
@ -21,7 +21,7 @@
    <% if @attempt.totp_available? %>
      <footer>
        <p>
-          <%= link_to t(".use_authenticator"), totp_login_attempt_path(@attempt, return_to: params[:return_to]) %>
+          <%= link_to t(".use_authenticator"), totp_login_attempt_path(@attempt) %>
        </p>
      </footer>
    <% end %>
--- a/app/views/logins/email.html.erb
+++ b/app/views/logins/email.html.erb
@ -20,7 +20,7 @@
    <% end %>

    <footer>
-      <%= form_with url: resend_login_attempt_path(@attempt, return_to: params[:return_to]), method: :post, style: "margin: 0;" do %>
+      <%= form_with url: resend_login_attempt_path(@attempt), method: :post, style: "margin: 0;" do %>
        <%= button_tag t(".resend"), type: "submit", class: "secondary" %>
      <% end %>

@ -36,10 +36,10 @@
              country: @identity.country,
              primary_email: @identity.primary_email
            },
-            return_to: params[:return_to]
+            return_to: @attempt.return_to
          ) %>
        <% else %>
-          <%= link_to t(".use_different_address"), login_path(email: @identity.primary_email, return_to: params[:return_to]) %>
+          <%= link_to t(".use_different_address"), login_path(email: @identity.primary_email, return_to: @attempt.return_to) %>
        <% end %>
      </p>

--- a/app/views/logins/totp.html.erb
+++ b/app/views/logins/totp.html.erb
@ -25,7 +25,7 @@
      <footer>
        <p>
          <%= t(".lost_authenticator") %>
-          <%= link_to t(".use_backup_code"), backup_code_login_attempt_path(@attempt, return_to: params[:return_to]) %>
+          <%= link_to t(".use_backup_code"), backup_code_login_attempt_path(@attempt) %>
        </p>
      </footer>
    <% end %>
--- a/app/views/static_pages/welcome.html.erb
+++ b/app/views/static_pages/welcome.html.erb
@ -1,4 +1,5 @@
 <%= render Components::AuthWelcome.new(
  headline: t(".title"),
-  subtitle: t(".subtitle")
+  subtitle: t(".subtitle"),
+  return_to: @return_to
 ) %>
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@ -29,8 +29,8 @@ Doorkeeper.configure do
      params.reject! { |key, _| key == "stash_data" }
      uri.query = URI.encode_www_form(params) unless params.empty?
      # Store only the path + query (relative URL) for security
-      session[:return_to] = uri.request_uri
-      redirect_to "/oauth/welcome"
+      # session[:return_to] = uri.request_uri
+      redirect_to "/oauth/welcome?return_to=#{CGI.escape(uri.request_uri)}"
    end
  end