respect return url on sign in link

2025-04-14 09:38:16 -05:00 · 2018-03-22 13:18:18 -04:00 · 2018-03-22 13:18:18 -04:00 · 14039d7d1a
commit 14039d7d1a
parent ff9f605b7d
6 changed files with 57 additions and 9 deletions
--- a/src/Admin/Controllers/LoginController.cs
+++ b/src/Admin/Controllers/LoginController.cs
@ -16,9 +16,12 @@ namespace Bit.Admin.Controllers
            _signInManager = signInManager;
        }

-        public IActionResult Index()
+        public IActionResult Index(string returnUrl = null)
        {
-            return View();
+            return View(new LoginModel
+            {
+                ReturnUrl = returnUrl
+            });
        }

        [HttpPost]
@ -28,19 +31,25 @@ namespace Bit.Admin.Controllers
            if(ModelState.IsValid)
            {
                await _signInManager.PasswordlessSignInAsync(model.Email,
-                    Url.Action("Confirm", "Login", null, Request.Scheme));
+                    Url.Action("Confirm", "Login", new { returnUrl = model.ReturnUrl }, Request.Scheme));
                return RedirectToAction("Index", "Home");
            }

            return View(model);
        }

-        public async Task<IActionResult> Confirm(string email, string token)
+        public async Task<IActionResult> Confirm(string email, string token, string returnUrl)
        {
            var result = await _signInManager.PasswordlessSignInAsync(email, token, false);
            if(!result.Succeeded)
            {
-                return View("Error");
+                // TODO: error?
+                return RedirectToAction("Index");
+            }
+
+            if(!string.IsNullOrWhiteSpace(returnUrl) && Url.IsLocalUrl(returnUrl))
+            {
+                return Redirect(returnUrl);
            }

            return RedirectToAction("Index", "Home");
--- a/src/Admin/Models/LoginModel.cs
+++ b/src/Admin/Models/LoginModel.cs
@ -7,5 +7,6 @@ namespace Bit.Admin.Models
        [Required]
        [EmailAddress]
        public string Email { get; set; }
+        public string ReturnUrl { get; set; }
    }
 }
--- a/src/Admin/Views/Login/Index.cshtml
+++ b/src/Admin/Views/Login/Index.cshtml
@ -7,6 +7,7 @@
    <div class="card-body">
        <p>Please enter your email address below to log in.</p>
        <form asp-action="" method="post">
+            <input type="hidden" asp-for="ReturnUrl" />
            <div asp-validation-summary="ModelOnly" class="text-danger"></div>
            <div class="form-group">
                <label asp-for="Email" class="sr-only">Email Address</label>
--- a/src/Core/Services/Implementations/MarkdownMailService.cs
+++ b/src/Core/Services/Implementations/MarkdownMailService.cs
@ -6,6 +6,7 @@ using Bit.Core.Models.Mail;
 using System.IO;
 using System.Net;
 using System.Reflection;
+using Bit.Core.Utilities;

 namespace Bit.Core.Services
 {
@ -172,10 +173,14 @@ namespace Bit.Core.Services

        public async Task SendPasswordlessSignInAsync(string baseUrl, string token, string email)
        {
+            var url = CoreHelpers.ExtendQuery(new Uri(baseUrl), new Dictionary<string, string>
+            {
+                ["email"] = email,
+                ["token"] = token,
+            });
            var model = new Dictionary<string, string>
            {
-                ["url"] = string.Format("{0}?email={1}&token={2}", baseUrl, WebUtility.UrlEncode(email),
-                    WebUtility.UrlEncode(token))
+                ["url"] = url.ToString()
            };

            var message = await CreateMessageAsync("Continue Logging In", email, "PasswordlessSignIn", model);
--- a/src/Core/Services/Implementations/RazorMailService.cs
+++ b/src/Core/Services/Implementations/RazorMailService.cs
@ -206,10 +206,15 @@ namespace Bit.Core.Services
        public async Task SendPasswordlessSignInAsync(string baseUrl, string token, string email)
        {
            var message = CreateDefaultMessage("Continue Logging In", email);
+
+            var url = CoreHelpers.ExtendQuery(new Uri(baseUrl), new Dictionary<string, string>
+            {
+                ["email"] = email,
+                ["token"] = token,
+            });
            var model = new PasswordlessSignInModel
            {
-                Url = string.Format("{0}?email={1}&token={2}", baseUrl, WebUtility.UrlEncode(email),
-                    WebUtility.UrlEncode(token))
+                Url = url.ToString()
            };
            message.HtmlContent = await _engine.CompileRenderAsync("PasswordlessSignIn", model);
            message.TextContent = await _engine.CompileRenderAsync("PasswordlessSignIn.text", model);
--- a/src/Core/Utilities/CoreHelpers.cs
+++ b/src/Core/Utilities/CoreHelpers.cs
@ -12,6 +12,7 @@ using System.Text;
 using System.Text.RegularExpressions;
 using Dapper;
 using System.Globalization;
+using System.Web;

 namespace Bit.Core.Utilities
 {
@ -425,5 +426,31 @@ namespace Bit.Core.Utilities

            return _max.Subtract(date.Value).TotalMilliseconds.ToString(CultureInfo.InvariantCulture);
        }
+
+        // ref: https://stackoverflow.com/a/27545010/1090359
+        public static Uri ExtendQuery(Uri uri, IDictionary<string, string> values)
+        {
+            var baseUri = uri.ToString();
+            var queryString = string.Empty;
+            if(baseUri.Contains("?"))
+            {
+                var urlSplit = baseUri.Split('?');
+                baseUri = urlSplit[0];
+                queryString = urlSplit.Length > 1 ? urlSplit[1] : string.Empty;
+            }
+
+            var queryCollection = HttpUtility.ParseQueryString(queryString);
+            foreach(var kvp in values ?? new Dictionary<string, string>())
+            {
+                queryCollection[kvp.Key] = kvp.Value;
+            }
+
+            var uriKind = uri.IsAbsoluteUri ? UriKind.Absolute : UriKind.Relative;
+            if(queryCollection.Count == 0)
+            {
+                return new Uri(baseUri, uriKind);
+            }
+            return new Uri(string.Format("{0}?{1}", baseUri, queryCollection), uriKind);
+        }
    }
 }