Ignore replayed OIDC callback when session is already authenticated#1343
Ignore replayed OIDC callback when session is already authenticated#1343lovasoa wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a0f8327795
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| ) | ||
| { | ||
| log::warn!("Ignoring replayed OIDC callback for an already authenticated session: {e:#}"); | ||
| let mut resp = build_redirect_response("/".to_string()); |
There was a problem hiding this comment.
Respect site_prefix when ignoring replayed callbacks
When site_prefix is configured and SQLPage is mounted only under that prefix, this new recovery path sends the browser to the host root instead of the SQLPage app. A replayed callback for /my-app/sqlpage/oidc_callback would therefore redirect to /, which may be handled by another app or by the reverse proxy rather than reaching SQLPage's prefix redirect; use the configured prefixed home URL for this fallback.
Useful? React with 👍 / 👎.
Motivation
Description
handle_oidc_callback_erroradd a branch that detects a missing temporary OIDC state cookie viais_missing_tmp_login_flow_state_cookie_errorand an already-authenticated session viaget_authenticated_user_info, logs a warning, clears the redirect-count cookie, and redirects to/instead of restarting the login flow.is_missing_tmp_login_flow_state_cookie_errorto recognize the specific error string for a missingsqlpage_oidc_state_*cookie.test_oidc_replayed_callback_after_login_does_not_restart_loginintests/oidc/mod.rsthat reproduces the replayed-callback scenario and asserts the callback is ignored and redirects to/.CHANGELOG.mdwith a note describing that OIDC login no longer restarts when a browser replays an already-consumed callback.Testing
cargo test, including the new OIDC testtest_oidc_replayed_callback_after_login_does_not_restart_login, and it passed.test_oidc_happy_pathwere executed and continued to pass.Codex Task