fix: Use an HTTP 301 redirect for internal redirects initiated by LTI logins #422
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hectoras
requested review from
andreluizmachado,
gabrielfs7,
bartlomiejmarszal,
Nevermind23 and
shpran
gabrielfs7
reviewed
Aug 8, 2024
gabrielfs7
reviewed
Aug 8, 2024
gabrielfs7
reviewed
Aug 8, 2024
controller/AuthoringTool.php
Outdated
| $this->getLogger()->warning( | ||
| sprintf( | ||
| 'Missing registration for current audience. Redirecting to the login page. Exception: %s', | ||
| $exception | ||
| ) | ||
| ); | ||
| $this->redirect(_url('login', 'Main', 'tao')); | ||
|
|
||
| $this->redirect(_url('login', 'Main', 'tao')); // throws |
There was a problem hiding this comment.
Can we add a return here, does not make sense to redirect follow to an exception throw. It is really confusing reading the code.
Suggested change
| $this->redirect(_url('login', 'Main', 'tao')); // throws | |
| $this->redirect(_url('login', 'Main', 'tao')); | |
| return; |
Version
There are 0 BREAKING CHANGE, 0 feature, 1 fix |
gabrielfs7
approved these changes
Aug 8, 2024
There was a problem hiding this comment.
LGTM, code check only
To be validated by QA to be sure behavior works and it is backward compatible
- New code is covered by tests (if applicable)
- Tests are running successfully (old and new ones) on my local machine (if applicable)
- New code is respecting code style rules
- New code is respecting best practices
- New code is not subject to concurrency issues (if applicable)
- Feature is working correctly on my local machine (if applicable)
- Acceptance criteria are respected
- Pull request title and description are meaningful
|
Actually, it seems that sticking to the default 302 redirect instead of a 301 is also working as expected once we initiate the page change using the new mechanism from https://github.com/oat-sa/tao-portal/pull/1091/files, closing this |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Associated Jira issue: SOLAR-668
When a user clicks on the link from Portal to go into TAO 3.x, Portal redirects the user to https://backoffice.host/taoLti/AuthoringTool/launch with an LTI payload with a short expiration time. That payload is expected to be used only once.
In turn, when this request hits TAO 3.x, the
launch()action validates the payload and security constraints, starts a user session and forwards its processing to therun()method in the same controller ($this->forward()). Whenrun()is called, it checks if the user session just created bylaunch()is valid, and then issues an HTTP redirect (redirect()).This redirect happens to be sent to the client as a a generic
HTTP 302 Foundresponse, which is meant to indicate that the target resource resides temporarily under a different URI and, since the redirection might be altered on occasion, expects the browser to continue to use the target URI for future requests [ref]. That means the 302 redirect makes the browser to keep the intermediate URL returning the redirect itself as part of the "normal flow": The URL for the controller that validates the request coming from Portal is kept in the browser history, as it might be altered on occasion.Changes in this PR make that intermediate jump from the authentication logic (
launch()) into Authoring itself (run()) to be issued as anHTTP 301 Moved Permanentlyredirect instead, which makes any future references to the intermediate URL to use one of the enclosed URIs [ref]. That means the intermediate redirect is permanent, and the browser shall use the target URL for the redirect instead of the intermediate one. The net effect of this is that the intermediate URL (launch()) is not part of the "normal flow" anymore, so it is not kept in the browser history: Clicking the "back button" goes back to Portal.There's also another intermediate request to the Auth server to get a token used for the LTI launch; however, that one is handled within the Javascript code and therefore it's not captured in the browser history.
Note the previous URL will be http://portal.host/content-bank, meaning clicking on the back button will bounce the user back to TAO 3.x. That is to be fixed at the Portal FE.
Related PR: