fix: prevent abuse of redirect behavior

Author: TheauW

packages/diracx-web-components/src/components/Login/LoginForm.tsx

@@ -14,8 +14,6 @@ import { Stack } from "@mui/material";
 import { useOidc } from "@axa-fr/react-oidc";
 import { useMetadata, Metadata } from "../../hooks/metadata";
 import { useOIDCContext } from "../../hooks/oidcConfiguration";
-
-import { useSearchParamsUtils } from "../../hooks/searchParamsUtils";
 import { NavigationContext } from "../../contexts/NavigationProvider";
 import { useDiracxUrl } from "../../hooks";
 
@@ -39,7 +37,6 @@ export function LoginForm({
   const { configuration, setConfiguration } = useOIDCContext();
   const { isAuthenticated, login } = useOidc(configuration?.scope);
   const { setPath } = useContext(NavigationContext);
-  const { getParam } = useSearchParamsUtils();
   const OIDC_LOGIN_ATTEMPTED_KEY = "oidcLoginAttempted";
 
   // Login if not authenticated
@@ -60,14 +57,10 @@ export function LoginForm({
     // Redirect to dashboard if already authenticated
     if (isAuthenticated) {
       sessionStorage.removeItem(OIDC_LOGIN_ATTEMPTED_KEY);
-      const redirect = getParam("redirect");
-      if (redirect) {
-        setPath(redirect);
-      } else {
-        setPath("/");
-      }
+      // Redirect to the root path
+      setPath("/");
     }
-  }, [getParam, isAuthenticated, setPath]);
+  }, [isAuthenticated, setPath]);
 
   // Get default group
   const getDefaultGroup = (

packages/diracx-web-components/src/components/OIDC/OIDCSecure.tsx

@@ -18,19 +18,14 @@ export function OIDCSecure({ children }: OIDCProps) {
   const { configuration } = useOIDCContext();
   const { isAuthenticated } = useOidc(configuration?.scope);
   const { setPath } = useContext(NavigationContext);
+  const pathName = useContext(NavigationContext).getPath();
 
   useEffect(() => {
     // Redirect to login page if not authenticated
-    if (!isAuthenticated) {
-      setPath(
-        "/auth?" +
-          // URLSearchParams to ensure that auth redirects users to the URL they came from
-          new URLSearchParams({
-            redirect: window.location.pathname + window.location.search,
-          }).toString(),
-      );
+    if (!isAuthenticated && !pathName.startsWith("/auth")) {
+      setPath("/auth");
     }
-  }, [isAuthenticated, setPath]);
+  }, [isAuthenticated, setPath, pathName]);
 
   return <>{children}</>;
 }

packages/diracx-web/test/e2e/loginOut.cy.ts

@@ -69,4 +69,31 @@ describe("Login and Logout", () => {
     cy.visit("/");
     cy.url().should("include", "/auth");
   });
+
+  it("prevent infinite login loop", () => {
+    // The user is redirected to the /auth page because not authenticated
+    // Make sure we are on the /auth page
+    cy.url().should("include", "/auth");
+
+    const currentUrl = cy.url();
+
+    cy.wait(5000); // Wait 5 seconds to let a possible infinite loop happen
+
+    // Check that the URL has not changed
+    cy.url().should("eq", currentUrl);
+
+    // Login
+    cy.get('[data-testid="button-login"]').click();
+    cy.get("#login").type("[email protected]");
+    cy.get("#password").type("password");
+
+    // Find the login button and click on it
+    cy.get("button").click();
+    // Grant access
+    cy.get(":nth-child(1) > form > .dex-btn").click();
+    cy.url().should("include", "/auth");
+
+    // The user is redirected to the dashboard page
+    cy.url().should("eq", Cypress.config().baseUrl);
+  });
 });