Allow navigation back to calling app

Author: daniel-slaugh

django/domains/iam/auth/adapters.py

@@ -1,5 +1,6 @@
 import logging
 from smtplib import SMTPException
+from urllib.parse import urlparse
 
 from django.http import HttpRequest
 from django.conf import settings
@@ -9,6 +10,7 @@
 from allauth.account.adapter import DefaultAccountAdapter, get_adapter as get_account_adapter
 from allauth.core import context as allauth_context
 from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
+from interfaces.account.navigation import get_stored_account_return_to
 from interfaces.auth.schemas import AccountPatchBody
 from domains.iam.services import AccountService
 
@@ -23,6 +25,32 @@ def get_logout_redirect_url(self, request: HttpRequest) -> str:
     def is_open_for_signup(self, request: HttpRequest):
         return settings.ACCOUNT_SIGNUP_ENABLED
 
+    def get_login_redirect_url(self, request):
+        return get_stored_account_return_to(request) or super().get_login_redirect_url(
+            request
+        )
+
+    def get_signup_redirect_url(self, request):
+        return get_stored_account_return_to(request) or super().get_signup_redirect_url(
+            request
+        )
+
+    def is_safe_url(self, url):
+        parsed = urlparse(url)
+        try:
+            if super().is_safe_url(url):
+                return True
+        except (AttributeError, LookupError):
+            if parsed.scheme or parsed.netloc:
+                pass
+            else:
+                return url.startswith("/") and not url.startswith("//")
+
+        if not parsed.scheme or not parsed.netloc:
+            return False
+
+        return self._origin_from_url(url) in self._get_allowed_return_origins()
+
     def send_mail(self, template_prefix: str, email: str, context: dict) -> None:
         request = allauth_context.request
         ctx = {
@@ -46,6 +74,28 @@ def send_mail(self, template_prefix: str, email: str, context: dict) -> None:
             )
             console_connection.send_messages([msg])
 
+    def _get_allowed_return_origins(self):
+        origins = set()
+
+        for client_config in getattr(settings, "OIDC_BUNDLED_CLIENTS", {}).values():
+            for url in client_config.get("redirect_uris", []):
+                origin = self._origin_from_url(url)
+                if origin:
+                    origins.add(origin)
+            for origin in client_config.get("cors_origins", []):
+                normalized = self._origin_from_url(origin)
+                if normalized:
+                    origins.add(normalized)
+
+        return origins
+
+    @staticmethod
+    def _origin_from_url(url):
+        parsed = urlparse(url)
+        if not parsed.scheme or not parsed.netloc:
+            return None
+        return f"{parsed.scheme}://{parsed.netloc}"
+
     def save_user(self, request, user, form, commit=True):
         user = super().save_user(request, user, form, commit=False)
         data = form.cleaned_data

django/hydroserver/settings.py

@@ -212,6 +212,7 @@ def _url_origin(url):
                 "django.template.context_processors.request",
                 "django.contrib.auth.context_processors.auth",
                 "django.contrib.messages.context_processors.messages",
+                "interfaces.account.context_processors.account_navigation",
             ],
         },
     },

django/interfaces/account/context_processors.py

@@ -0,0 +1,7 @@
+from interfaces.account.navigation import get_account_return_to
+
+
+def account_navigation(request):
+    return {
+        "account_return_url": get_account_return_to(request),
+    }

django/interfaces/account/navigation.py

@@ -0,0 +1,62 @@
+from urllib.parse import parse_qsl, unquote, urlencode, urlsplit, urlunsplit
+
+from allauth.account.adapter import get_adapter as get_account_adapter
+from django.contrib.auth import REDIRECT_FIELD_NAME
+
+
+ACCOUNT_RETURN_TO_SESSION_KEY = "account_return_to"
+
+
+def normalize_account_return_to(request, value):
+    if not isinstance(value, str):
+        return None
+
+    normalized = unquote(value).strip()
+    if not normalized:
+        return None
+
+    if not get_account_adapter(request).is_safe_url(normalized):
+        return None
+
+    return normalized
+
+
+def get_stored_account_return_to(request):
+    session = getattr(request, "session", None)
+    if session is None:
+        return None
+    return normalize_account_return_to(
+        request,
+        session.get(ACCOUNT_RETURN_TO_SESSION_KEY)
+    )
+
+
+def get_account_return_to(request):
+    for query_dict in [getattr(request, "POST", None), request.GET]:
+        if not query_dict:
+            continue
+        value = normalize_account_return_to(request, query_dict.get(REDIRECT_FIELD_NAME))
+        if value:
+            session = getattr(request, "session", None)
+            if session is not None:
+                session[ACCOUNT_RETURN_TO_SESSION_KEY] = value
+            return value
+
+    return get_stored_account_return_to(request)
+
+
+def with_account_return_to(url, return_to):
+    normalized = return_to if isinstance(return_to, str) and return_to.strip() else None
+    if not normalized:
+        return url
+
+    parts = urlsplit(url)
+    query = [
+        (key, value)
+        for key, value in parse_qsl(parts.query, keep_blank_values=True)
+        if key != REDIRECT_FIELD_NAME
+    ]
+    query.append((REDIRECT_FIELD_NAME, normalized))
+    return urlunsplit(
+        (parts.scheme, parts.netloc, parts.path, urlencode(query), parts.fragment)
+    )

django/interfaces/account/urls.py

@@ -3,6 +3,7 @@
 
 urlpatterns = [
     path("login/", views.login, name="account_login"),
+    path("signup/", views.signup, name="account_signup"),
     path("email/", views.unavailable_account_management, name="disabled_account_email"),
     path("3rdparty/", views.unavailable_account_management, name="disabled_socialaccount_connections"),
     path("social/connections/", views.unavailable_account_management, name="disabled_socialaccount_connections_legacy"),

django/interfaces/account/views.py

@@ -1,14 +1,15 @@
 import logging
 from urllib.parse import unquote
 
-from allauth.account.views import LoginView as AllauthLoginView
+from allauth.account.views import LoginView as AllauthLoginView, SignupView as AllauthSignupView
 from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.contrib.auth import logout
 from django.contrib.auth.decorators import login_required
 from django.db import OperationalError, ProgrammingError
 from django.shortcuts import render, redirect
 from django.contrib import messages
 from interfaces.account.forms import ProfileForm, DeleteAccountForm
+from interfaces.account.navigation import get_account_return_to
 from domains.iam.services import AccountService
 
 
@@ -38,23 +39,37 @@ def dispatch(self, request, *args, **kwargs):
         request.GET = _normalize_redirect_field(request.GET)
         if request.method == "POST":
             request.POST = _normalize_redirect_field(request.POST)
+        get_account_return_to(request)
+        return super().dispatch(request, *args, **kwargs)
+
+
+class SignupView(AllauthSignupView):
+    def dispatch(self, request, *args, **kwargs):
+        request.GET = _normalize_redirect_field(request.GET)
+        if request.method == "POST":
+            request.POST = _normalize_redirect_field(request.POST)
+        get_account_return_to(request)
         return super().dispatch(request, *args, **kwargs)
 
 
 login = LoginView.as_view()
+signup = SignupView.as_view()
 
 
 @login_required
 def profile(request):
     user = request.user
+    return_to = get_account_return_to(request)
     return render(request, "account/profile.html", {
         "user": user,
         "organization": user.organization,
+        "return_to": return_to,
     })
 
 
 @login_required
 def profile_edit(request):
+    return_to = get_account_return_to(request)
     if request.method == "POST":
         form = ProfileForm(request.POST, instance=request.user)
         if form.is_valid():
@@ -64,18 +79,20 @@ def profile_edit(request):
     else:
         form = ProfileForm(instance=request.user)
 
-    return render(request, "account/profile_edit.html", {"form": form})
+    return render(request, "account/profile_edit.html", {"form": form, "return_to": return_to})
 
 
 @login_required
 def unavailable_account_management(request):
+    get_account_return_to(request)
     messages.info(request, "That account management page is not available in this HydroServer instance.")
     return redirect("account_profile")
 
 
 @login_required
 def delete_account(request):
     user = request.user
+    return_to = get_account_return_to(request)
     owned_workspaces = []
     try:
         from domains.iam.models import Workspace
@@ -99,4 +116,5 @@ def delete_account(request):
     return render(request, "account/delete_account.html", {
         "form": form,
         "owned_workspaces": owned_workspaces,
+        "return_to": return_to,
     })

django/templates/account/profile.html

@@ -26,10 +26,21 @@ <h2 class="text-lg font-medium text-gray-900">
                 <p class="text-sm text-gray-600">{{ user.email }}</p>
             </div>
         </div>
-        <a href="{% url 'account_profile_edit' %}"
-           class="inline-flex min-h-12 items-center justify-center rounded-xl border border-primary bg-white px-5 py-3 text-sm font-medium text-primary transition-colors hover:bg-primary-light hover:text-primary-dark">
-            {% trans "Edit profile" %}
-        </a>
+        <div class="flex flex-col gap-3 sm:flex-row">
+            {% if account_return_url %}
+            <a href="{{ account_return_url }}"
+               class="inline-flex min-h-12 items-center justify-center gap-2 rounded-xl border border-primary bg-primary px-5 py-3 text-sm font-medium text-white shadow-elevation-2 transition-colors hover:bg-primary-dark">
+                <svg class="h-4 w-4 shrink-0" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true">
+                    <path fill-rule="evenodd" d="M17.5 10a.75.75 0 0 1-.75.75H5.06l3.22 3.22a.75.75 0 1 1-1.06 1.06l-4.5-4.5a.75.75 0 0 1 0-1.06l4.5-4.5a.75.75 0 1 1 1.06 1.06L5.06 9.25h11.69a.75.75 0 0 1 .75.75Z" clip-rule="evenodd" />
+                </svg>
+                {% trans "Back to app" %}
+            </a>
+            {% endif %}
+            <a href="{% url 'account_profile_edit' %}"
+               class="inline-flex min-h-12 items-center justify-center rounded-xl border border-primary bg-white px-5 py-3 text-sm font-medium text-primary transition-colors hover:bg-primary-light hover:text-primary-dark">
+                {% trans "Edit profile" %}
+            </a>
+        </div>
     </div>
 
     <section class="space-y-4 rounded-xl border border-gray-200 bg-white p-5">

django/tests/iam/test_account_adapter.py

@@ -55,3 +55,18 @@ def test_account_adapter_reraises_email_delivery_errors_outside_dev(
     with request_context(request):
         with pytest.raises(SMTPException):
             adapter.send_mail("account/email/email_confirmation", "user@example.com", {})
+
+
+def test_account_adapter_allows_registered_client_origins_as_return_urls(settings):
+    adapter = AccountAdapter()
+
+    settings.OIDC_BUNDLED_CLIENTS = {
+        "test": {
+            "id": "test-client",
+            "redirect_uris": ["http://127.0.0.1:5173/callback"],
+            "cors_origins": ["http://127.0.0.1:5173"],
+        }
+    }
+
+    assert adapter.is_safe_url("http://127.0.0.1:5173/orchestration?workspaceId=123")
+    assert not adapter.is_safe_url("http://malicious.example.com/orchestration")

django/tests/iam/test_auth_profile_flow.py

@@ -220,6 +220,19 @@ def test_email_verification_sent_page_renders():
     assert "Verify your email" in content
 
 
+def test_profile_page_shows_back_to_app_link(client, get_principal):
+    client.force_login(get_principal("owner"))
+
+    response = client.get(
+        "/accounts/profile/",
+        {"next": "http://127.0.0.1:5173/orchestration?workspaceId=abc123"},
+    )
+
+    assert response.status_code == 200
+    assert b"Back to app" in response.content
+    assert b"http://127.0.0.1:5173/orchestration?workspaceId=abc123" in response.content
+
+
 def test_account_signup_requires_first_name():
     payload = signup_payload(f"signup-missing-first-{uuid4().hex}@example.com")
     payload["firstName"] = ""

packages/hydroserver-ts/src/api/__tests__/session.service.spec.ts

@@ -130,4 +130,19 @@ describe('SessionService', () => {
 
     expect(() => session.checkExpiration()).not.toThrow()
   })
+
+  it('builds account urls with the current app route as next', () => {
+    window.history.replaceState({}, '', '/orchestration?workspaceId=abc#runs')
+
+    const session = new SessionService(
+      new HydroServer({ host: 'https://hydro.example.com' })
+    )
+
+    expect(session.accountSignupUrl).toBe(
+      'https://hydro.example.com/accounts/signup/?next=http%3A%2F%2Flocalhost%3A3000%2Forchestration%3FworkspaceId%3Dabc%23runs'
+    )
+    expect(session.accountProfileUrl).toBe(
+      'https://hydro.example.com/accounts/profile/?next=http%3A%2F%2Flocalhost%3A3000%2Forchestration%3FworkspaceId%3Dabc%23runs'
+    )
+  })
 })