Steps to reproduce bug
- Ensure you have more than 1 Google account - meaning that Google will ask you to choose which Google account to use every time you authenticate.
- Go to https://dashboard.ophan.co.uk/ and get the Ophan Heatmap bookmarklet

- Log out of https://dashboard.ophan.co.uk/ with the signout button.
- In tab A, go to https://dashboard.ophan.co.uk/ - you should be redirected and see a Google
Choose an account to continue to ophan.co.uk message
- In tab B, go to https://www.theguardian.com/uk and activate the Ophan Heatmap. You should see a "Please log into Ophan to use the heatmap." message:

- Complete the authentication process (by selecting your
guardian.co.uk account) in tab A.
Expected behaviour
Tab A is redirected to https://dashboard.ophan.co.uk/ - which is where the user was trying to go in that tab before the authentication happened.
Actual behaviour
Tab A is redirected to https://dashboard.ophan.co.uk/heatmap/filter-bar?path=/uk&# on completing authentication, and it looks like a mess: 
Cause
The return url is stored in the Play session:
|
def sendForAuth[A](request: RequestHeader)(implicit ec: ExecutionContext) = |
|
Redirect(loginTarget).withSession { |
|
request.session + (GoogleAuthFilters.LOGIN_ORIGIN_KEY, request.uri) |
|
} |
...and is being set with the authentication attempt in Tab A, then overwritten by the authentication attempt in Tab B. When Tab A returns, it unfortunately uses that return url stored by tab B:
|
def setupSessionWhenSuccessful(userIdentity: UserIdentity)(implicit request: RequestHeader): Result = { |
|
val redirect = request.session.get(GoogleAuthFilters.LOGIN_ORIGIN_KEY) match { |
|
case Some(url) => Redirect(url) |
|
case None => Redirect(defaultRedirectTarget) |
|
} |
Proposed Fix
Instead of storing the return url in the Play session, it could be stored in the state of the OAuth authentication request - ie in the JWT token introduced with #52.
The return url should probably be encrypted to avoid return urls leaking to Google servers.
Steps to reproduce bug
Choose an account to continue to ophan.co.ukmessageguardian.co.ukaccount) in tab A.Expected behaviour
Tab A is redirected to https://dashboard.ophan.co.uk/ - which is where the user was trying to go in that tab before the authentication happened.
Actual behaviour
Tab A is redirected to https://dashboard.ophan.co.uk/heatmap/filter-bar?path=/uk&# on completing authentication, and it looks like a mess:
Cause
The return url is stored in the Play session:
play-googleauth/module/src/main/scala/com/gu/googleauth/actions.scala
Lines 83 to 86 in 7582a32
...and is being set with the authentication attempt in Tab A, then overwritten by the authentication attempt in Tab B. When Tab A returns, it unfortunately uses that return url stored by tab B:
play-googleauth/module/src/main/scala/com/gu/googleauth/actions.scala
Lines 197 to 201 in 7582a32
Proposed Fix
Instead of storing the return url in the Play session, it could be stored in the
stateof the OAuth authentication request - ie in the JWT token introduced with #52.The return url should probably be encrypted to avoid return urls leaking to Google servers.