From 64233f91d21491d0eaf8d2a0cbcc6450e8fb8741 Mon Sep 17 00:00:00 2001
From: Lennart <18233294+lennart-k@users.noreply.github.com>
Date: Sun, 13 Apr 2025 19:55:48 +0200
Subject: [PATCH] frontend: Janky code to make redirects after login work

---
 Cargo.lock                                    |  1 +
 crates/frontend/Cargo.toml                    |  1 +
 .../public/templates/pages/login.html         | 13 ++++++-
 crates/frontend/src/lib.rs                    | 19 ++++++----
 crates/frontend/src/nextcloud_login.rs        |  9 ++++-
 crates/frontend/src/oidc/mod.rs               | 31 +++++++++++-----
 crates/frontend/src/routes/login.rs           | 36 ++++++++++++++++---
 7 files changed, 89 insertions(+), 21 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index f7b79fd..57d11cd 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3116,6 +3116,7 @@ dependencies = [
  "serde",
  "thiserror 2.0.12",
  "tokio",
+ "url",
  "uuid",
 ]
 
diff --git a/crates/frontend/Cargo.toml b/crates/frontend/Cargo.toml
index 37f580e..6bd9d84 100644
--- a/crates/frontend/Cargo.toml
+++ b/crates/frontend/Cargo.toml
@@ -24,3 +24,4 @@ reqwest.workspace = true
 rand.workspace = true
 chrono.workspace = true
 uuid.workspace = true
+url.workspace = true
diff --git a/crates/frontend/public/templates/pages/login.html b/crates/frontend/public/templates/pages/login.html
index 044a71e..77ef407 100644
--- a/crates/frontend/public/templates/pages/login.html
+++ b/crates/frontend/public/templates/pages/login.html
@@ -4,6 +4,9 @@
 
 <div class="login_window">
   <h1>Login</h1>
+  {% if let Some(redirect_uri) = redirect_uri %}
+  <p>and redirect to {{redirect_uri}}</p>
+  {% endif %}
   <form action="login" method="post" id="form_login">
     <label for="username">Username</label>
     <input type="text" id="username" name="username" placeholder="username">
@@ -11,11 +14,19 @@
     <label for="password">Password</label>
     <input type="password" id="password" name="password" placeholder="password">
     <br>
+    {% if let Some(redirect_uri) = redirect_uri %}
+    <input type="hidden" name="redirect_uri" value="{{ redirect_uri }}">
+    {% endif %}
     <button type="submit">Login</button>
   </form>
 
   {% if let Some(OidcProviderData {name, redirect_url}) = oidc_data %}
-  <a href="{{ redirect_url }}">Login with {{ name }}</a>
+  <form action="{{ redirect_url }}" method="post" id="form_login">
+    {% if let Some(redirect_uri) = redirect_uri %}
+    <input type="hidden" name="redirect_uri" value="{{ redirect_uri }}">
+    {% endif %}
+    <button type="submit">Login with {{ name }}</button>
+  </form>
   {% endif %}
 </div>
 
diff --git a/crates/frontend/src/lib.rs b/crates/frontend/src/lib.rs
index b72e6b5..d4fafb3 100644
--- a/crates/frontend/src/lib.rs
+++ b/crates/frontend/src/lib.rs
@@ -12,7 +12,7 @@ use actix_web::{
 use askama::Template;
 use askama_web::WebTemplate;
 use assets::{Assets, EmbedService};
-use oidc::{route_get_oidc, route_get_oidc_callback};
+use oidc::{route_get_oidc_callback, route_post_oidc};
 use routes::{
     addressbook::{route_addressbook, route_addressbook_restore},
     calendar::{route_calendar, route_calendar_restore},
@@ -44,7 +44,7 @@ struct UserPage {
 
 async fn route_user(user: User, req: HttpRequest) -> Redirect {
     Redirect::to(
-        req.url_for("frontend_user_named", &[&user.id])
+        req.url_for("frontend_user_named", &[user.id])
             .unwrap()
             .to_string(),
     )
@@ -105,15 +105,22 @@ async fn route_root(user: Option<User>, req: HttpRequest) -> impl Responder {
     web::Redirect::to(redirect_url.to_string()).permanent()
 }
 
-fn unauthorized_handler<B>(res: ServiceResponse<B>) -> actix_web::Result<ErrorHandlerResponse<B>> {
+pub(crate) fn unauthorized_handler<B>(
+    res: ServiceResponse<B>,
+) -> actix_web::Result<ErrorHandlerResponse<B>> {
     let (req, _) = res.into_parts();
-    let login_url = req.url_for_static("frontend_login").unwrap().to_string();
+    let redirect_uri = req.uri().to_string();
+    let mut login_url = req.url_for_static("frontend_login").unwrap();
+    login_url
+        .query_pairs_mut()
+        .append_pair("redirect_uri", &redirect_uri);
+    let login_url = login_url.to_string();
 
     let response = HttpResponse::Unauthorized().body(format!(
         r#"<!Doctype html>
         <html>
             <head>
-                <meta http-equiv="refresh" content="2; url={login_url}" />
+                <meta http-equiv="refresh" content="1; url={login_url}" />
             </head>
             <body>
                 Unauthorized, redirecting to <a href="{login_url}">login page</a>
@@ -196,7 +203,7 @@ pub fn configure_frontend<AP: AuthenticationProvider, CS: CalendarStore, AS: Add
             .service(
                 web::resource("/login/oidc")
                     .name("frontend_login_oidc")
-                    .route(web::method(Method::GET).to(route_get_oidc)),
+                    .route(web::method(Method::POST).to(route_post_oidc)),
             )
             .service(
                 web::resource("/login/oidc/callback")
diff --git a/crates/frontend/src/nextcloud_login.rs b/crates/frontend/src/nextcloud_login.rs
index 07bb96e..fe69374 100644
--- a/crates/frontend/src/nextcloud_login.rs
+++ b/crates/frontend/src/nextcloud_login.rs
@@ -1,6 +1,10 @@
 use actix_web::{
     HttpRequest, HttpResponse, Responder,
-    http::header::{self},
+    http::{
+        StatusCode,
+        header::{self},
+    },
+    middleware::ErrorHandlers,
     web::{self, Data, Form, Html, Json, Path, ServiceConfig},
 };
 use askama::Template;
@@ -11,6 +15,8 @@ use serde::{Deserialize, Serialize};
 use std::{collections::HashMap, sync::Arc};
 use tokio::sync::RwLock;
 
+use crate::unauthorized_handler;
+
 #[derive(Debug, Clone)]
 struct NextcloudFlow {
     app_name: String,
@@ -217,6 +223,7 @@ pub fn configure_nextcloud_login<AP: AuthenticationProvider>(
 ) {
     cfg.service(
         web::scope("/index.php/login/v2")
+            .wrap(ErrorHandlers::new().handler(StatusCode::UNAUTHORIZED, unauthorized_handler))
             .wrap(AuthenticationMiddleware::new(auth_provider.clone()))
             .app_data(Data::from(nextcloud_flows_state))
             .app_data(Data::from(auth_provider.clone()))
diff --git a/crates/frontend/src/oidc/mod.rs b/crates/frontend/src/oidc/mod.rs
index a1014f8..1cfff7e 100644
--- a/crates/frontend/src/oidc/mod.rs
+++ b/crates/frontend/src/oidc/mod.rs
@@ -5,7 +5,7 @@ use actix_web::{
     body::BoxBody,
     error::UrlGenerationError,
     http::StatusCode,
-    web::{Data, Query, Redirect},
+    web::{Data, Form, Query, Redirect},
 };
 use openidconnect::{
     AuthenticationFlow, AuthorizationCode, ClaimsVerificationError, ConfigurationError, CsrfToken,
@@ -67,6 +67,7 @@ struct OidcState {
     state: CsrfToken,
     nonce: Nonce,
     pkce_verifier: PkceCodeVerifier,
+    redirect_uri: Option<String>,
 }
 
 fn get_http_client() -> reqwest::Client {
@@ -109,9 +110,15 @@ async fn get_oidc_client(
     .set_redirect_uri(redirect_uri))
 }
 
+#[derive(Debug, Deserialize)]
+pub struct GetOidcForm {
+    redirect_uri: Option<String>,
+}
+
 /// Endpoint that redirects to the authorize endpoint of the OIDC service
-pub async fn route_get_oidc(
+pub async fn route_post_oidc(
     req: HttpRequest,
+    Form(GetOidcForm { redirect_uri }): Form<GetOidcForm>,
     config: Data<FrontendConfig>,
     session: Session,
 ) -> Result<impl Responder, OidcError> {
@@ -146,6 +153,7 @@ pub async fn route_get_oidc(
             state: csrf_token,
             nonce,
             pkce_verifier,
+            redirect_uri,
         },
     )?;
 
@@ -225,16 +233,23 @@ pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
         user = Some(new_user);
     }
 
+    let default_redirect = req.url_for_static("frontend_user")?.to_string();
+    let redirect_uri = oidc_state.redirect_uri.unwrap_or(default_redirect.clone());
+    let redirect_uri = req
+        .full_url()
+        .join(&redirect_uri)
+        .ok()
+        .and_then(|uri| req.full_url().make_relative(&uri))
+        .unwrap_or(default_redirect);
+
     // Complete login flow
     if let Some(user) = user {
         session.insert("user", user.id.clone())?;
 
-        Ok(
-            Redirect::to(req.url_for_static("frontend_user")?.to_string())
-                .temporary()
-                .respond_to(&req)
-                .map_into_boxed_body(),
-        )
+        Ok(Redirect::to(redirect_uri)
+            .temporary()
+            .respond_to(&req)
+            .map_into_boxed_body())
     } else {
         // Add user provisioning
         Ok(HttpResponse::build(StatusCode::UNAUTHORIZED).body("User does not exist"))
diff --git a/crates/frontend/src/routes/login.rs b/crates/frontend/src/routes/login.rs
index 1442075..80d1dea 100644
--- a/crates/frontend/src/routes/login.rs
+++ b/crates/frontend/src/routes/login.rs
@@ -3,7 +3,7 @@ use actix_session::Session;
 use actix_web::{
     HttpRequest, HttpResponse, Responder,
     error::ErrorUnauthorized,
-    web::{Data, Form, Redirect},
+    web::{Data, Form, Query, Redirect},
 };
 use askama::Template;
 use askama_web::WebTemplate;
@@ -13,11 +13,22 @@ use serde::Deserialize;
 #[derive(Template, WebTemplate)]
 #[template(path = "pages/login.html")]
 struct LoginPage<'a> {
+    redirect_uri: Option<String>,
     oidc_data: Option<OidcProviderData<'a>>,
 }
 
-pub async fn route_get_login(req: HttpRequest, config: Data<FrontendConfig>) -> impl Responder {
+#[derive(Debug, Deserialize)]
+pub struct GetLoginQuery {
+    redirect_uri: Option<String>,
+}
+
+pub async fn route_get_login(
+    Query(GetLoginQuery { redirect_uri }): Query<GetLoginQuery>,
+    req: HttpRequest,
+    config: Data<FrontendConfig>,
+) -> impl Responder {
     LoginPage {
+        redirect_uri,
         oidc_data: config.oidc.as_ref().map(|oidc| OidcProviderData {
             name: &oidc.name,
             redirect_url: req
@@ -33,20 +44,35 @@ pub async fn route_get_login(req: HttpRequest, config: Data<FrontendConfig>) ->
 pub struct PostLoginForm {
     username: String,
     password: String,
+    redirect_uri: Option<String>,
 }
 
 pub async fn route_post_login<AP: AuthenticationProvider>(
     req: HttpRequest,
-    form: Form<PostLoginForm>,
+    Form(PostLoginForm {
+        username,
+        password,
+        redirect_uri,
+    }): Form<PostLoginForm>,
     session: Session,
     auth_provider: Data<AP>,
 ) -> HttpResponse {
+    // Ensure that redirect_uri never goes cross-origin
+    let default_redirect = "/frontend/user".to_string();
+    let redirect_uri = redirect_uri.unwrap_or(default_redirect.clone());
+    let redirect_uri = req
+        .full_url()
+        .join(&redirect_uri)
+        .ok()
+        .and_then(|uri| req.full_url().make_relative(&uri))
+        .unwrap_or(default_redirect);
+
     if let Ok(Some(user)) = auth_provider
-        .validate_user_token(&form.username, &form.password)
+        .validate_user_token(&username, &password)
         .await
     {
         session.insert("user", user.id).unwrap();
-        Redirect::to(format!("/frontend/user/{}", &form.username))
+        Redirect::to(redirect_uri)
             .see_other()
             .respond_to(&req)
             .map_into_boxed_body()