From 5f8340626bf3d3e39ba7e886d8a08eb3f0f548b6 Mon Sep 17 00:00:00 2001
From: Dannon Baker <dannon.baker@gmail.com>
Date: Wed, 4 Dec 2024 16:00:53 -0500
Subject: [PATCH] More protection around redirect cookie handling for psa.

Sets expiration to 24h, clears to default if next isn't provided, and
clears after use.
---
 lib/galaxy/webapps/galaxy/controllers/authnz.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/galaxy/webapps/galaxy/controllers/authnz.py b/lib/galaxy/webapps/galaxy/controllers/authnz.py
index af7330e5c0c0..f7e3f459ec3f 100644
--- a/lib/galaxy/webapps/galaxy/controllers/authnz.py
+++ b/lib/galaxy/webapps/galaxy/controllers/authnz.py
@@ -79,7 +79,10 @@ def login(self, trans, provider, idphint=None, next=None):
             log.debug(msg)
             return trans.show_error_message(msg)
         if next:
-            trans.set_cookie(value=next, name=LOGIN_NEXT_COOKIE_NAME)
+            trans.set_cookie(value=next, name=LOGIN_NEXT_COOKIE_NAME, age=1)
+        else:
+            # If no next parameter is provided, ensure we unset any existing next cookie.
+            trans.set_cookie(value="/", name=LOGIN_NEXT_COOKIE_NAME)
         success, message, redirect_uri = trans.app.authnz_manager.authenticate(provider, trans, idphint)
         if success:
             return {"redirect_uri": redirect_uri}
@@ -138,6 +141,8 @@ def callback(self, trans, provider, idphint=None, **kwargs):
         trans.handle_user_login(user)
         # Record which idp provider was logged into, so we can logout of it later
         trans.set_cookie(value=provider, name=PROVIDER_COOKIE_NAME)
+        # Clear the login next cookie back to default.
+        trans.set_cookie(value="/", name=LOGIN_NEXT_COOKIE_NAME)
         return trans.response.send_redirect(url_for(redirect_url))
 
     @web.expose