the protection I placed was in the wrong path moved to /session/sso

correct previous commit
2018-11-09 17:17:43 +11:00 · 2018-11-09 17:17:43 +11:00 · 64d9be726f
parent 5076487eaf
commit 64d9be726f
2 changed files with 4 additions and 4 deletions
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -173,7 +173,7 @@ class SessionController < ApplicationController
        end

        # never redirects back to sso in an sso loop
-        if return_path.start_with?(path("/sso"))
+        if return_path.start_with?(path("/session/sso"))
          return_path = path("/")
        end

--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@ -303,8 +303,8 @@ RSpec.describe SessionController do

    end

-    it 'will never redirect back to /sso path' do
-      sso = get_sso("/sso?bla=1")
+    it 'will never redirect back to /session/sso path' do
+      sso = get_sso("/session/sso?bla=1")
      sso.email = user.email
      sso.external_id = 'abc'
      sso.username = 'sam'
@ -312,7 +312,7 @@ RSpec.describe SessionController do
      get "/session/sso_login", params: Rack::Utils.parse_query(sso.payload), headers: headers
      expect(response).to redirect_to('/')

-      sso = get_sso("http://#{Discourse.current_hostname}/sso?bla=1")
+      sso = get_sso("http://#{Discourse.current_hostname}/session/sso?bla=1")
      sso.email = user.email
      sso.external_id = 'abc'
      sso.username = 'sam'