Fix bug with session deletion when logout forced and we have a redirect to follow

2026-01-05 12:11:52 +11:00
parent 074a734c0c
commit 8110d547dd
2 changed files with 24 additions and 0 deletions
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -86,8 +86,17 @@ class SessionsController < ApplicationController
    end

    # Sign in successful (password only)
+    # Preserve the return_to_after_authenticating value across session boundary
+    # (e.g., when max_age flow destroys the session and creates a temporary one)
+    preserved_return_url = session[:return_to_after_authenticating]
+
    start_new_session_for user, acr: "1"

+    # Restore the return URL if it was lost during session recreation
+    if preserved_return_url.present? && session[:return_to_after_authenticating].blank?
+      session[:return_to_after_authenticating] = preserved_return_url
+    end
+
    # Use status: :see_other to ensure browser makes a GET request
    # This prevents Turbo from converting it to a TURBO_STREAM request
    redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true, status: :see_other
@@ -125,7 +134,12 @@ class SessionsController < ApplicationController
        if session[:totp_redirect_url].present?
          session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
        end
+        # Preserve return URL across session boundary for max_age flow
+        preserved_return_url = session[:return_to_after_authenticating]
        start_new_session_for user, acr: "2"
+        if preserved_return_url.present? && session[:return_to_after_authenticating].blank?
+          session[:return_to_after_authenticating] = preserved_return_url
+        end
        redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true
        return
      end
@@ -137,7 +151,12 @@ class SessionsController < ApplicationController
        if session[:totp_redirect_url].present?
          session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
        end
+        # Preserve return URL across session boundary for max_age flow
+        preserved_return_url = session[:return_to_after_authenticating]
        start_new_session_for user, acr: "2"
+        if preserved_return_url.present? && session[:return_to_after_authenticating].blank?
+          session[:return_to_after_authenticating] = preserved_return_url
+        end
        redirect_to after_authentication_url, notice: "Signed in successfully using backup code.", allow_other_host: true
        return
      end
--- a/app/controllers/totp_controller.rb
+++ b/app/controllers/totp_controller.rb
@@ -106,7 +106,12 @@ class TotpController < ApplicationController
      session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
    end

+    # Preserve return URL across session boundary for max_age flow
+    preserved_return_url = session[:return_to_after_authenticating]
    start_new_session_for @user
+    if preserved_return_url.present? && session[:return_to_after_authenticating].blank?
+      session[:return_to_after_authenticating] = preserved_return_url
+    end
    redirect_to after_authentication_url, notice: "Two-factor authentication enabled. Signed in successfully.", allow_other_host: true
  end