FIX: Handle missing provider return sso url

This commit prevents a 500 error from occurring if someone is trying to
setup their discourse instance as a sso provider and they don't pass in
a `return_sso_url` in their payload.

lib/single_sign_on_provider.rb

@@ -19,6 +19,7 @@ class SingleSignOnProvider < SingleSignOn
     decoded = Base64.decode64(parsed["sso"])
     decoded_hash = Rack::Utils.parse_query(decoded)
 
+    raise ParseError unless decoded_hash.key? 'return_sso_url'
     @return_sso_url = decoded_hash['return_sso_url']
   end
 

spec/requests/session_controller_spec.rb

@@ -1055,6 +1055,13 @@ RSpec.describe SessionController do
         expect(response.body).to eq(I18n.t("sso.missing_secret"))
       end
 
+      it "returns a 422 if no return_sso_url" do
+        SiteSetting.sso_provider_secrets = "abcdefghij"
+        sso = SingleSignOnProvider.new
+        get "/session/sso_provider?sso=asdf&sig=abcdefghij"
+        expect(response.status).to eq(422)
+      end
+
       it "successfully redirects user to return_sso_url when the user is logged in" do
         sign_in(@user)