fix(auth): preserve redirect URL after logout

[ChristophWurst]

• Resolves: [Bug]: Second Authentication Step Cancellation Breaks Client Login #52908

Summary

Preserve the redirect URL. This is mostly helpful for the client login flow.

How to test

1. Set up 2FA
2. Log in
3. Navigate to /apps/files -> you get redirected to login
4. Log in with your password
5. Click Cancel logout at the 2FA pages
6. Log in again with password
7. Complete the 2FA challenge

master: you see the dashboard (default app)
here: you see the files app

TODO

• Do

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)

[i2h3]

• Set up 2FA
• Log in
• Navigate to /apps/files -> you get redirected to login
• Log in with your password
• Click Cancel logout at the 2FA pages
• Log in again with password
• Complete the 2FA challenge

It reads like you mixed up words. Don't you mean it like this? 🤔

1. Set up 2FA
2. Log out
3. Navigate to /apps/files -> you get redirected to login
4. Log in with your password
5. Click "cancel login" at the 2FA page
6. Log in again with password
7. Complete the 2FA challenge

[ChristophWurst]

Correct. My bad.

[i2h3]

It does not work completely. But this might be a valuable lead to the solution of another problem we are currently facing and you probably remember: the mismatching status token (@mpivchev might care). I do exactly as the instructions say and then I end up at the error page which states exactly that.

ScreenRecording.mp4

Setup

• szaimen/nextcloud-easy-test with this fix/auth/logout-redirect-url branch.
• iOS 18.4 Simulator.
• Latest master of iOS app deployed directly from Xcode Version 16.3 (16E140) to the Simulator.

[ChristophWurst]

Cool, I'll have a look at that

[ChristophWurst]

The problem is the restarting of the PHP session during login. This clears all previous values.

In more detail: we store the token of GET /login/v2/flow/{token} in the session, then go to login (or skip if for existing sessions) and finally go to the grant page. If the user was already logged in, the session remains the same. For login there will be a fresh session, which doesn't have the token.

What puzzles me is that the code is 6 years old. The landing page was always a "public page", making it accessible before authentication. Either this never worked, or we had a mechanism to preserve session values at login, which no longer works.

Found a case where login is not an issue. Digging deeper.

[i2h3]

@ChristophWurst How can the fix for the redirect URL preservation proceed? I just ran into this myself moments ago with our corporate instance. I would suggest to decouple the state token issue into a different pull request.

[ChristophWurst]

There is nothing specific to state tokens in this PR. It handles redirect URLs generically for logout.

[i2h3]

I was not referring to the state tokens but the retention of the redirect URL. This is a valid fix for a confirmed (other) problem. Hence the question: why wait for the state token affair?

[ChristophWurst]

Yes, true