More protection around redirect cookie handling for psa.

Sets expiration to 24h, clears to default if next isn't provided, and clears after use.
dannon · Dec 4, 2024 · 5f83406 · 5f83406
1 parent 963ae52
commit 5f83406
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/lib/galaxy/webapps/galaxy/controllers/authnz.py b/lib/galaxy/webapps/galaxy/controllers/authnz.py
@@ -79,7 +79,10 @@ def login(self, trans, provider, idphint=None, next=None):
             log.debug(msg)
             return trans.show_error_message(msg)
         if next:
-            trans.set_cookie(value=next, name=LOGIN_NEXT_COOKIE_NAME)
+            trans.set_cookie(value=next, name=LOGIN_NEXT_COOKIE_NAME, age=1)
+        else:
+            # If no next parameter is provided, ensure we unset any existing next cookie.
+            trans.set_cookie(value="/", name=LOGIN_NEXT_COOKIE_NAME)
         success, message, redirect_uri = trans.app.authnz_manager.authenticate(provider, trans, idphint)
         if success:
             return {"redirect_uri": redirect_uri}
@@ -138,6 +141,8 @@ def callback(self, trans, provider, idphint=None, **kwargs):
         trans.handle_user_login(user)
         # Record which idp provider was logged into, so we can logout of it later
         trans.set_cookie(value=provider, name=PROVIDER_COOKIE_NAME)
+        # Clear the login next cookie back to default.
+        trans.set_cookie(value="/", name=LOGIN_NEXT_COOKIE_NAME)
         return trans.response.send_redirect(url_for(redirect_url))
 
     @web.expose