Redirection to an external website from CP if the user is unauthorized

[miloslavkostir]

Bug description

The unauthorized user is redirected from the CP to the referrer. But that doesn't make sense if the user is coming from an external site and in the case of OAuth authentication, a redirect loop can be created. IMO the user should see an error message explaining what happened.

See Statamic\Exceptions\Concerns\RendersControlPanelExceptions::getAuthExceptionRedirectUrl(). There is the comment:

If we came to this URL from another, we'll send them back, but not if it was the login page otherwise there'd be a redirect loop.

and if:

if ($referrer && $referrer != cp_route('login')) {
    return $referrer;
}

So there is solved the risk of redirect loop only for default login via email and password, not for OAuth authentication.

There should be something like this:

// If we came to this URL from another, we'll send them back, but not
// if it was an external site or the login page otherwise there'd be a redirect loop.
if ($referrer && str_starts_with($referrer, url('/')) && $referrer != cp_route('login')) {
    return $referrer;
}

How to reproduce

1. Create an unauthorized user

In statamic application create unauthorized user (superadmin = false, no role).

2. OAuth authentication

Create an OAuth authentication according to the doc https://statamic.dev/oauth.

If you are not able to create the OAuth authentication, try this simulator. On a domain other than the statamic application, create a script with this simple code:

<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    header('Location: https://my-statamic-app.com/cp');
    exit;
}
?>
<html>
<head>
    <title>OAuth simulator</title>
</head>
<body>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
    <input type="text" name="username">
    <input type="password" name="password">
    <input type="submit" value="Sign in">
</form>
</body>
</html>

or with simpler code:

<html>
<head>
    <title>OAuth simulator</title>
</head>
<body>
<a href="https://my-statamic-app.com/cp" target="_blank">Statamic CP</a>
</body>
</html>

3. Login to CP via email

If you use the OAuth simulator above, you must login to CP manually (real OAuth will do it itself). Login to CP via email and password as the unauthorized user. You will be redirected to the unauthorized page /cp/auth/unauthorized as expected.

4. Sign in via OAuth

Sign in to OAuth or simulate it with the OAuth simulator (submit the form or click on the link). You will be redirected to the control panel of your statamic application, but you will be immediately redirected back to an external site because you have no permissions.

Because the OAuth authentication automatically creates unauthorized users this always happened if the user doesn't exists.

Logs

No response

Environment

Environment
Application Name: RETEK
Laravel Version: 11.20.0
PHP Version: 8.3.7
Composer Version: 2.7.6
Environment: devel
Debug Mode: ENABLED
URL: retek-cz.mik.dek.cz
Maintenance Mode: OFF
Timezone: Europe/Prague
Locale: en

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: null
Cache: file
Database: mysql
Logs: stack / single
Mail: smtp
Queue: sync
Session: file

Statamic
Addons: 1
Sites: 2 (Czech, English)
Stache Watcher: Enabled
Static Caching: Disabled
Version: 5.20.0 PRO

Statamic Addons
dek-statamic/dev-tools: 1.5.1

Installation

Fresh statamic/statamic site via CLI

Additional details

No response