Phoenix: redirect to doesn't handle valid paths

Created on 29 Sep 2020  路  6Comments  路  Source: phoenixframework/phoenix

Environment

  • Elixir version (elixir -v): Elixir 1.11.0-rc.0 (48cee5a) (compiled with Erlang/OTP 23)
  • Phoenix version (mix deps): phoenix 1.5.3
  • NodeJS version (node -v): v13.12.0
  • NPM version (npm -v): 6.14.4
  • Operating system: macOS Catalina

Expected behavior

I expect Phoenix.Controller.redirect/2 to handle all paths that Phoenix.Router will route.

The specific case that I'm encountering is that I expect
Phoenix.Controller.redirect(conn, to: "//profile") not to raise an error

Actual behavior

An error is returned:
the :to option in redirect expects a path but was "//profile"

This check was originally introduced in:
https://github.com/phoenixframework/phoenix/commit/6eb2753aee2ff01d133e4f7ea7161d88e1058748#diff-7da6b70483c3cf2edf06a3f2a6316fceR283

Background

This error comes up when users mistypes a path on the website and the phx.gen.auth stores the conn.request_path in the session: 

  defp maybe_store_return_to(%{method: "GET"} = conn) do
    %{request_path: request_path, query_string: query_string} = conn
    return_to = if query_string == "", do: request_path, else: request_path <> "?" <> query_string
    put_session(conn, :user_return_to, return_to)
  end

But since the request path could be //profile, I then get the above-mentioned error when the user tries to actually log in.

I'm not sure what the correct behavior here is, but perhaps there's a way to satisfy https://github.com/phoenixframework/phoenix/issues/1133 without breaking this use case.

Alternatively maybe phoenix could treat //profile as a 404 instead of rendering the same content as /profile, that would fix this for me as well.

picture axelson

Most helpful comment

My suggestion: change current_path in Phoenix to normalize the path and change phx.gen.auth to use Phoenix.Controller.current_path instead.

picture josevalim on 29 Sep 2020
👍2

All 6 comments

In this case, I would not expect //profile to be a valid local route, so I'm inclined to this the current behavior. I'll let @josevalim confirm, but I don't think we need a change on the phoenix redirect side. Thanks!

chrismccord picture chrismccord on 29 Sep 2020

This is correct in Raising because browsers may take redirecting to //profile the same as redirecting to SCHEME://profile where SCHEME is your current scheme. For example, a lot of people use this to download assets in the current scheme but potentially another domain.

josevalim picture josevalim on 29 Sep 2020

If //profile is not a valid route, how can you make it 404 when the browser seems to accept it?

And / or would you be open to a PR into phx.gen.auth to remove duplicate /s when storing the redirect url to avoid the issue at all?

Adzz picture Adzz on 29 Sep 2020

My suggestion: change current_path in Phoenix to normalize the path and change phx.gen.auth to use Phoenix.Controller.current_path instead.

josevalim picture josevalim on 29 Sep 2020
👍2

That change makes sense to me.

axelson picture axelson on 29 Sep 2020

Fixed in 44a8d90ced173d6083579266e528cdb3281677c6.

josevalim picture josevalim on 12 Oct 2020
1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mmcc picture mmcc  路  3Comments
thedanotto picture thedanotto  路  3Comments
fertapric picture fertapric  路  3Comments
bwschmidt picture bwschmidt  路  4Comments
noam87 picture noam87  路  3Comments