Skip to content

Make the relay_state optional in the response. #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
matejak wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Make the relay_state optional in the response. #15

matejak wants to merge 1 commit into from

Conversation

@matejak
Copy link

@matejak matejak commented Jan 13, 2020
edited
Loading

If relay_state isn't part of the outgoing request, it won't come back as a response. In that case, the code wouldn't work.

I have renamed the relay_state to its semantic meaning redirect_to, and adjusted the code so that it conforms with the method's comments.

This behavior occurs when SERVER_NAME is not specified in the configuration, which also affects get_login_return_url though - in that case, no URL will pass the is_valid_redirect_url validation, as the code calls make_absolute_url which needs the server name set to work properly.

@matejak
Make the relay_state optional in the response.
253d1c1 
If relay_state isn't part of the outgoing request, it won't come back as a response.
In that case, the code wouldn't work.
mx-moth
mx-moth requested changes Jan 14, 2020
View reviewed changes
Copy link
Owner

@mx-moth mx-moth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this pull request!

flask_saml2/sp/sp.py
self,
auth_data: AuthData,
relay_state: str,
redirect_to: str,
Copy link
Owner

@mx-moth mx-moth Jan 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As you've used request.form.get('RelayState') below, the type of this should now be Optional[str]

flask_saml2/sp/sp.py
self.set_auth_data_in_session(auth_data)
return redirect(relay_state)
if not redirect_to:
redirect_to = self.get_login_return_url()
Copy link
Owner

@mx-moth mx-moth Jan 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be get_default_login_return_url(), as get_login_return_url() will check request.args.get('next'), potentially allowing the IdP to inject its own redirect parameter. (Ignoring that the IdP could alter RelayState to achieve the same thing).

Both get_login_return_url() and get_default_login_return_url() can return None in their default implementations. In this case, it would be appropriate to raise an error in login_successful(), as there is nothing else we can do. If the developer has not overridden get_default_login_return_url() then there is no where to redirect to.

Copy link
Author

@matejak matejak Jan 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your review!
As this is a web application, I am a bit reluctant to raise an error "by default". What about returning / as default login return URL, so it is not so easy to get a traceback?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mx-moth mx-moth mx-moth requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matejak @mx-moth