From 0f1ba41a90ef5625be037c898ca10e0b9266d4d9 Mon Sep 17 00:00:00 2001
From: Stephen von Takach <steve@place.technology>
Date: Thu, 14 Sep 2023 07:23:55 +1000
Subject: [PATCH] fix(sessions): ignore login requests with redirects to files

this improves the previous work
---
 app/controllers/auth/coauth_controller.rb   |  8 +-------
 app/controllers/auth/sessions_controller.rb | 17 +++++++++++++----
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/app/controllers/auth/coauth_controller.rb b/app/controllers/auth/coauth_controller.rb
index 13a9b97..e0b344f 100644
--- a/app/controllers/auth/coauth_controller.rb
+++ b/app/controllers/auth/coauth_controller.rb
@@ -88,16 +88,10 @@ def store_social(uid, provider)
 
     def set_continue(path)
       path ||= "/"
-      uri = Addressable::URI.parse(path)
-
-      # we won't set continue to files (except html)
-      ext = uri.extname
-      if ext.presence
-        return unless ext.downcase == ".html"
-      end
 
       # prevent adverse behaviour
       if !path.start_with?("/") || path.include?("//")
+        uri = Addressable::URI.parse(path)
         path = "#{uri.request_uri}#{uri.fragment ? "##{uri.fragment}" : nil}"
       end
 
diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb
index a026e60..b91d859 100644
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@@ -12,14 +12,22 @@ class SessionsController < CoauthController
     # Inline login
     def new
       details = params.permit(:provider, :continue, :id)
-      remove_session
       continue_uri = details[:continue]
 
-      # check for x-api-keys
-      # if they exist and are valid (making a request to rest-api to confirm)
-      # then configure a long lasting verified cookie
       if continue_uri
         parsed_uri = URI.parse(continue_uri)
+
+        # we won't set continue to files (except html)
+        # we 401 here as this redirect is most likely caused by asset protection
+        ext = parsed_uri.extname
+        if ext.presence && ext.downcase != ".html"
+          head :bad_request
+          return
+        end
+
+        # check for x-api-keys
+        # if they exist and are valid (making a request to rest-api to confirm)
+        # then configure a long lasting verified cookie
         query_params = parsed_uri.query
         query_fragment = parsed_uri.fragment
         if query_fragment
@@ -38,6 +46,7 @@ def new
         end
       end
 
+      remove_session
       provider = details[:provider]
       auth_id = details[:id]