diff --git a/selfservice/flow/registration/handler.go b/selfservice/flow/registration/handler.go index f1e4c0568d54..b22e66f0b81c 100644 --- a/selfservice/flow/registration/handler.go +++ b/selfservice/flow/registration/handler.go @@ -290,7 +290,16 @@ func (h *Handler) createBrowserRegistrationFlow(w http.ResponseWriter, r *http.R return } - http.Redirect(w, r, h.d.Config().SelfServiceBrowserDefaultReturnTo(r.Context()).String(), http.StatusSeeOther) + returnTo, redirErr := x.SecureRedirectTo(r, h.d.Config().SelfServiceBrowserDefaultReturnTo(r.Context()), + x.SecureRedirectAllowSelfServiceURLs(h.d.Config().SelfPublicURL(r.Context())), + x.SecureRedirectAllowURLs(h.d.Config().SelfServiceBrowserAllowedReturnToDomains(r.Context())), + ) + if redirErr != nil { + h.d.SelfServiceErrorManager().Forward(r.Context(), w, r, redirErr) + return + } + + http.Redirect(w, r, returnTo.String(), http.StatusSeeOther) return } diff --git a/selfservice/flow/registration/handler_test.go b/selfservice/flow/registration/handler_test.go index 9eaee55b561e..d0f19483d88c 100644 --- a/selfservice/flow/registration/handler_test.go +++ b/selfservice/flow/registration/handler_test.go @@ -43,6 +43,10 @@ func TestHandlerRedirectOnAuthenticated(t *testing.T) { router := x.NewRouterPublic() ts, _ := testhelpers.NewKratosServerWithRouters(t, reg, router, x.NewRouterAdmin()) + // Set it first as otherwise it will overwrite the ViperKeySelfServiceBrowserDefaultReturnTo key; + returnToTS := testhelpers.NewRedirTS(t, "return_to", conf) + conf.MustSet(ctx, config.ViperKeyURLsAllowedReturnToDomains, []string{returnToTS.URL}) + redirTS := testhelpers.NewRedirTS(t, "already authenticated", conf) conf.MustSet(ctx, config.ViperKeySelfServiceRegistrationEnabled, true) testhelpers.SetDefaultIdentitySchema(conf, "file://./stub/identity.schema.json") @@ -58,6 +62,12 @@ func TestHandlerRedirectOnAuthenticated(t *testing.T) { assert.Contains(t, res.Request.URL.String(), registration.RouteInitAPIFlow) assertx.EqualAsJSON(t, registration.ErrAlreadyLoggedIn, json.RawMessage(gjson.GetBytes(body, "error").Raw)) }) + + t.Run("does redirect to return_to url on authenticated request", func(t *testing.T) { + body, res := testhelpers.MockMakeAuthenticatedRequest(t, reg, conf, router.Router, x.NewTestHTTPRequest(t, "GET", ts.URL+registration.RouteInitBrowserFlow+"?return_to="+returnToTS.URL, nil)) + assert.Contains(t, res.Request.URL.String(), returnToTS.URL) + assert.EqualValues(t, "return_to", string(body)) + }) } func TestInitFlow(t *testing.T) {