App Access should include query string when redirecting an unauthenticated user

[programmerq]

Expected behavior:

As of #13832, app access will preserve the path portion of a URL through the login process when an unauthenticated user tries to access an app access URL. This should include both the path and any query string, but it currently discards the query string.

Current behavior:

When accessing the URL as an unauthenticated user, the first thing teleport does is issue a redirect to the /web/launch for the app, and it includes the path as a query string. The ?query=bar from the initial URL is not included in the redirect.

Request URL: https://aaptest5.teleport.example.com/somefolder/foo?query=bar -> location: https://teleport.example.com:443/web/launch/aaptest5.teleport.example.com?path=%2Fsomefolder%2Ffoo

If I manually add in the URL escaped query string, the rest of the login flow works and preserves it the rest of the way through:

https://teleport.example.com:443/web/launch/aaptest5.teleport.example.com?path=%2Fsomefolder%2Ffoo%3Fquery%3Dbar

I believe this means that this can be fixed with a one-line change to simply add an escaped ? and URL.Query.

https://github.com/gravitational/teleport/blob/v10.2.0/lib/web/app/handler.go#L387

Bug details:

• Teleport version: all 10.x.y versions, 9.3.10 and newer, 8.3.16 and newer.
• Recreation steps: attempt to access an application access app with a path and query string. observe that only the path is preserved.
• Debug logs: n/a

gz#6770

[zmb3]

Closing as duplicate of #15998