From 2f67c60cf487ace91b9039d75e23755de0a58b8a Mon Sep 17 00:00:00 2001
From: 24c02 <163450896+24c02@users.noreply.github.com>
Date: Tue, 25 Nov 2025 19:08:49 -0500
Subject: [PATCH] fix cookieoverflow?

---
 app/controllers/application_controller.rb  |  7 +++++--
 app/controllers/identities_controller.rb   |  8 ++++----
 app/controllers/logins_controller.rb       | 19 +++++++++----------
 app/controllers/static_pages_controller.rb |  3 ++-
 app/views/logins/backup_code.html.erb      |  2 +-
 app/views/logins/email.html.erb            |  6 +++---
 app/views/logins/totp.html.erb             |  2 +-
 app/views/static_pages/welcome.html.erb    |  3 ++-
 config/initializers/doorkeeper.rb          |  4 ++--
 9 files changed, 29 insertions(+), 25 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 48247e3..ce1593f 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -32,14 +32,17 @@ class ApplicationController < ActionController::Base
 
   def authenticate_identity!
     unless identity_signed_in?
-      session[:return_to] = request.original_url unless request.xhr?
       # JANK ALERT
       hide_some_data_away
 
       # EW
       return if controller_name == "onboardings"
 
-      redirect_to welcome_path
+      if request.xhr?
+        redirect_to welcome_path
+      else
+        redirect_to welcome_path(return_to: request.original_url)
+      end
     end
   end
 
diff --git a/app/controllers/identities_controller.rb b/app/controllers/identities_controller.rb
index e571ae5..320b0d2 100644
--- a/app/controllers/identities_controller.rb
+++ b/app/controllers/identities_controller.rb
@@ -105,7 +105,8 @@ class IdentitiesController < ApplicationController
                 identity: @identity,
                 authentication_factors: {},
                 provenance: "signup",
-                next_action: @onboarding_scenario.next_action.to_s
+                next_action: @onboarding_scenario.next_action.to_s,
+                return_to: @return_to
             )
 
             # Set browser token cookie for security
@@ -119,7 +120,7 @@ class IdentitiesController < ApplicationController
                 IdentityMailer.v2_login_code(login_code).deliver_later
             end
 
-            redirect_to login_attempt_path(id: login_attempt.to_param, return_to: @return_to), status: :see_other
+            redirect_to login_attempt_path(id: login_attempt.to_param), status: :see_other
         else
             render :new, status: :unprocessable_entity
         end
@@ -160,8 +161,7 @@ class IdentitiesController < ApplicationController
     end
 
     def set_return_to
-        session[:return_to] = params[:return_to] if params[:return_to].present?
-        @return_to = session[:return_to]
+        @return_to = params[:return_to] if params[:return_to].present?
     end
 
     def identity_params
diff --git a/app/controllers/logins_controller.rb b/app/controllers/logins_controller.rb
index d9d761f..7dcc0cf 100644
--- a/app/controllers/logins_controller.rb
+++ b/app/controllers/logins_controller.rb
@@ -25,7 +25,8 @@ class LoginsController < ApplicationController
             identity: identity,
             authentication_factors: {},
             provenance: "login",
-            next_action: "home"
+            next_action: "home",
+            return_to: @return_to
         )
 
         # Store fingerprint info in session for later use
@@ -43,10 +44,10 @@ class LoginsController < ApplicationController
         }
 
         send_v2_login_code(identity, attempt)
-        redirect_to login_attempt_path(id: attempt.to_param, return_to: @return_to), status: :see_other
+        redirect_to login_attempt_path(id: attempt.to_param), status: :see_other
     rescue => e
         flash[:error] = e.message
-        redirect_to login_path
+        redirect_to login_path(return_to: @return_to)
     end
 
     def show
@@ -105,7 +106,7 @@ class LoginsController < ApplicationController
     def resend
         send_v2_login_code(@attempt.identity, @attempt)
         flash[:notice] = "A new code has been sent to #{@identity.primary_email}"
-        redirect_to login_attempt_path(id: @attempt.to_param, return_to: params[:return_to]), status: :see_other
+        redirect_to login_attempt_path(id: @attempt.to_param), status: :see_other
     end
 
 
@@ -195,8 +196,7 @@ class LoginsController < ApplicationController
     end
 
     def set_return_to
-        session[:return_to] = params[:return_to] if params[:return_to].present?
-        @return_to = session[:return_to]
+        @return_to = params[:return_to] if params[:return_to].present?
     end
 
     def fingerprint_info
@@ -258,7 +258,7 @@ class LoginsController < ApplicationController
             end
         else
         flash[:success] = "Logged in!"
-        safe_return_to = session.delete(:return_to)
+        safe_return_to = @attempt.return_to
         begin
           redirect_to safe_return_to.presence || root_path
         rescue ActionController::Redirecting::UnsafeRedirectError
@@ -312,12 +312,11 @@ class LoginsController < ApplicationController
 
     def redirect_to_next_factor
         available = @attempt.available_factors
-        safe_return_to = url_from(params[:return_to])
 
         if available.include?(:totp)
-            redirect_to totp_login_attempt_path(id: @attempt.to_param, return_to: safe_return_to), status: :see_other
+            redirect_to totp_login_attempt_path(id: @attempt.to_param), status: :see_other
         elsif available.include?(:backup_code)
-            redirect_to backup_code_login_attempt_path(id: @attempt.to_param, return_to: safe_return_to), status: :see_other
+            redirect_to backup_code_login_attempt_path(id: @attempt.to_param), status: :see_other
         else
             # No available factors - this shouldn't happen
             flash[:error] = "Unable to complete authentication"
diff --git a/app/controllers/static_pages_controller.rb b/app/controllers/static_pages_controller.rb
index 3c1d2e3..8a7cdb1 100644
--- a/app/controllers/static_pages_controller.rb
+++ b/app/controllers/static_pages_controller.rb
@@ -6,12 +6,13 @@ class StaticPagesController < ApplicationController
   end
 
   def welcome
+    @return_to = params[:return_to]
     render layout: "logged_out"
   end
 
   def oauth_welcome
     # Extract client_id from the return_to URL
-    @return_to = session[:return_to]
+    @return_to = params[:return_to]
     if @return_to.present?
       uri = URI.parse(@return_to)
       params_hash = URI.decode_www_form(uri.query || "").to_h
diff --git a/app/views/logins/backup_code.html.erb b/app/views/logins/backup_code.html.erb
index 76ea3dd..11426b0 100644
--- a/app/views/logins/backup_code.html.erb
+++ b/app/views/logins/backup_code.html.erb
@@ -21,7 +21,7 @@
     <% if @attempt.totp_available? %>
       <footer>
         <p>
-          <%= link_to t(".use_authenticator"), totp_login_attempt_path(@attempt, return_to: params[:return_to]) %>
+          <%= link_to t(".use_authenticator"), totp_login_attempt_path(@attempt) %>
         </p>
       </footer>
     <% end %>
diff --git a/app/views/logins/email.html.erb b/app/views/logins/email.html.erb
index db0b1ca..505a754 100644
--- a/app/views/logins/email.html.erb
+++ b/app/views/logins/email.html.erb
@@ -20,7 +20,7 @@
     <% end %>
 
     <footer>
-      <%= form_with url: resend_login_attempt_path(@attempt, return_to: params[:return_to]), method: :post, style: "margin: 0;" do %>
+      <%= form_with url: resend_login_attempt_path(@attempt), method: :post, style: "margin: 0;" do %>
         <%= button_tag t(".resend"), type: "submit", class: "secondary" %>
       <% end %>
 
@@ -36,10 +36,10 @@
               country: @identity.country,
               primary_email: @identity.primary_email
             },
-            return_to: params[:return_to]
+            return_to: @attempt.return_to
           ) %>
         <% else %>
-          <%= link_to t(".use_different_address"), login_path(email: @identity.primary_email, return_to: params[:return_to]) %>
+          <%= link_to t(".use_different_address"), login_path(email: @identity.primary_email, return_to: @attempt.return_to) %>
         <% end %>
       </p>
 
diff --git a/app/views/logins/totp.html.erb b/app/views/logins/totp.html.erb
index ed4595d..a781377 100644
--- a/app/views/logins/totp.html.erb
+++ b/app/views/logins/totp.html.erb
@@ -25,7 +25,7 @@
       <footer>
         <p>
           <%= t(".lost_authenticator") %>
-          <%= link_to t(".use_backup_code"), backup_code_login_attempt_path(@attempt, return_to: params[:return_to]) %>
+          <%= link_to t(".use_backup_code"), backup_code_login_attempt_path(@attempt) %>
         </p>
       </footer>
     <% end %>
diff --git a/app/views/static_pages/welcome.html.erb b/app/views/static_pages/welcome.html.erb
index e28509d..e0e0c9b 100644
--- a/app/views/static_pages/welcome.html.erb
+++ b/app/views/static_pages/welcome.html.erb
@@ -1,4 +1,5 @@
 <%= render Components::AuthWelcome.new(
   headline: t(".title"),
-  subtitle: t(".subtitle")
+  subtitle: t(".subtitle"),
+  return_to: @return_to
 ) %>
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
index 51c8359..b780193 100644
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -29,8 +29,8 @@ Doorkeeper.configure do
       params.reject! { |key, _| key == "stash_data" }
       uri.query = URI.encode_www_form(params) unless params.empty?
       # Store only the path + query (relative URL) for security
-      session[:return_to] = uri.request_uri
-      redirect_to "/oauth/welcome"
+      # session[:return_to] = uri.request_uri
+      redirect_to "/oauth/welcome?return_to=#{CGI.escape(uri.request_uri)}"
     end
   end