[#5074] redirect with 303 in case of a POST OAuth2 callback

2024-06-18 12:10:12 +03:00 · 2024-06-18 12:10:12 +03:00 · af9cf33553
parent d417b86fc0
commit af9cf33553
2 changed files with 12 additions and 7 deletions
--- a/apis/record_auth.go
+++ b/apis/record_auth.go
@ -672,28 +672,33 @@ type oauth2RedirectData struct {
 }

 func (api *recordAuthApi) oauth2SubscriptionRedirect(c echo.Context) error {
+	redirectStatusCode := http.StatusTemporaryRedirect
+	if c.Request().Method != http.MethodGet {
+		redirectStatusCode = http.StatusSeeOther
+	}
+
 	data := oauth2RedirectData{}
 	if err := c.Bind(&data); err != nil {
 		api.app.Logger().Debug("Failed to read OAuth2 redirect data", "error", err)
-		return c.Redirect(http.StatusTemporaryRedirect, oauth2RedirectFailurePath)
+		return c.Redirect(redirectStatusCode, oauth2RedirectFailurePath)
 	}

 	if data.State == "" {
 		api.app.Logger().Debug("Missing OAuth2 state parameter")
-		return c.Redirect(http.StatusTemporaryRedirect, oauth2RedirectFailurePath)
+		return c.Redirect(redirectStatusCode, oauth2RedirectFailurePath)
 	}

 	client, err := api.app.SubscriptionsBroker().ClientById(data.State)
 	if err != nil || client.IsDiscarded() || !client.HasSubscription(oauth2SubscriptionTopic) {
 		api.app.Logger().Debug("Missing or invalid OAuth2 subscription client", "error", err, "clientId", data.State)
-		return c.Redirect(http.StatusTemporaryRedirect, oauth2RedirectFailurePath)
+		return c.Redirect(redirectStatusCode, oauth2RedirectFailurePath)
 	}
 	defer client.Unsubscribe(oauth2SubscriptionTopic)

 	encodedData, err := json.Marshal(data)
 	if err != nil {
 		api.app.Logger().Debug("Failed to marshalize OAuth2 redirect data", "error", err)
-		return c.Redirect(http.StatusTemporaryRedirect, oauth2RedirectFailurePath)
+		return c.Redirect(redirectStatusCode, oauth2RedirectFailurePath)
 	}

 	msg := subscriptions.Message{
@ -705,8 +710,8 @@ func (api *recordAuthApi) oauth2SubscriptionRedirect(c echo.Context) error {

 	if data.Error != "" || data.Code == "" {
 		api.app.Logger().Debug("Failed OAuth2 redirect due to an error or missing code parameter", "error", data.Error, "clientId", data.State)
-		return c.Redirect(http.StatusTemporaryRedirect, oauth2RedirectFailurePath)
+		return c.Redirect(redirectStatusCode, oauth2RedirectFailurePath)
 	}

-	return c.Redirect(http.StatusTemporaryRedirect, oauth2RedirectSuccessPath)
+	return c.Redirect(redirectStatusCode, oauth2RedirectSuccessPath)
 }
--- a/apis/record_auth_test.go
+++ b/apis/record_auth_test.go
@ -1714,7 +1714,7 @@ func TestRecordAuthOAuth2Redirect(t *testing.T) {
 			BeforeTestFunc: beforeTestFunc(clientStubs[7], map[string][]string{
 				"c3": {`"state":"` + clientStubs[7]["c3"].Id(), `"code":"123"`},
 			}),
-			ExpectedStatus: http.StatusTemporaryRedirect,
+			ExpectedStatus: http.StatusSeeOther,
 			AfterTestFunc: func(t *testing.T, app *tests.TestApp, res *http.Response) {
 				app.Store().Get("cancelFunc").(context.CancelFunc)()