Handle next parameters even through OIDC

auth.go

@@ -82,7 +82,7 @@ func completeAuth(w http.ResponseWriter, username string, email string, firstnam
 		Expires:  time.Now().Add(30 * 24 * time.Hour),
 		HttpOnly: true,
 		SameSite: http.SameSiteStrictMode,
-		//Secure: true,
+		Secure:   true,
 	})
 
 	return

auth_krb5.go

@@ -51,7 +51,7 @@ func checkAuthKrb5(w http.ResponseWriter, _ httprouter.Params, body []byte) (int
 		}
 	}
 
-	if !found {
+	if !userExists(lf.Login) && !found {
 		return nil, fmt.Errorf("You are not allowed to log you in this way. Please use OpenID Connect.")
 	}
 

auth_oidc.go

@@ -20,6 +20,7 @@ var (
 	oidcRedirectURL = "https://srs.nemunai.re"
 	oauth2Config    oauth2.Config
 	oidcVerifier    *oidc.IDTokenVerifier
+	nextSessionMap  = map[string]string{}
 )
 
 func init() {
@@ -60,6 +61,12 @@ func initializeOIDC() {
 
 func redirectOIDC_CRI(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	session, err := NewSession()
+
+	// Save next parameter
+	if len(r.URL.Query().Get("next")) > 0 {
+		nextSessionMap[fmt.Sprintf("%x", session.Id)] = r.URL.Query().Get("next")
+	}
+
 	if err != nil {
 		http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusInternalServerError)
 	} else {
@@ -121,5 +128,12 @@ func OIDC_CRI_complete(w http.ResponseWriter, r *http.Request, ps httprouter.Par
 		return
 	}
 
+	// Retrieve next URL associated with session
+	if next, ok := nextSessionMap[fmt.Sprintf("%x", session.Id)]; ok {
+		http.Redirect(w, r, next, http.StatusFound)
+		delete(nextSessionMap, fmt.Sprintf("%x", session.Id))
+	} else {
 		http.Redirect(w, r, "/", http.StatusFound)
+	}
+
 }

ui/src/components/AuthButton.svelte

@@ -0,0 +1,19 @@
+<script>
+ import { page } from '$app/stores';
+
+ let className = '';
+ export { className as class };
+
+ let auth_route = 'auth/CRI'
+ $: {
+     if ($page.url.searchParams.get('next')) {
+         auth_route = 'auth/CRI?next=' + encodeURIComponent($page.url.searchParams.get('next'));
+     } else {
+         auth_route = 'auth/CRI?';
+     }
+ }
+</script>
+
+<a href={auth_route} target="_self" class="{className}">
+    <slot></slot>
+</a>

ui/src/routes/__layout.svelte

@@ -42,6 +42,7 @@
 </script>
 
 <script>
+ import AuthButton from '../components/AuthButton.svelte';
  import Toaster from '../components/Toaster.svelte';
 
  export let rroute = '';
@@ -129,9 +130,9 @@
                     </li>
                 {:else}
                     <li class="nav-item">
-                        <a href="auth/CRI" target="_self" class="btn btn-dark">
+                        <AuthButton class="btn btn-dark">
                             Se connecter
-	                </a>
+                        </AuthButton>
                     </li>
                 {/if}
 	    </ul>

ui/src/routes/auth.svelte

@@ -14,6 +14,8 @@
  import { goto } from '$app/navigation';
  import { page } from '$app/stores'
 
+ import AuthButton from '../components/AuthButton.svelte';
+
  let auth = { username: "", password: "" };
  let pleaseWait = false;
 
@@ -70,9 +72,9 @@
     <div class="col">
         <h2>OpenId Connect</h2>
         <div class="text-center">
-            <a href="auth/CRI" class="btn btn-primary" target="_self">
+            <AuthButton class="btn btn-primary">
 	        Me connecter avec mon compte CRI
-            </a>
+            </AuthButton>
         </div>
     </div>
 </div>