Use a short-time cookie to remember where to callback to

client/pages/login.vue

@@ -39,10 +39,10 @@
         </form>
         <hr />
         <div class="w-full flex py-3">
-          <a href="http://localhost:3333/auth/google">
+          <a :href="`http://localhost:3333/auth/google?callback=${currentUrl}`">
             <ui-btn color="primary" class="leading-none">Login with Google</ui-btn>
           </a>
-          <a href="http://localhost:3333/auth/openid">
+          <a :href="`http://localhost:3333/auth/openid?callback=${currentUrl}`">
             <ui-btn color="primary" class="leading-none">Login with OpenId</ui-btn>
           </a>
         </div>
@@ -69,7 +69,8 @@ export default {
       },
       confirmPassword: '',
       ConfigPath: '',
-      MetadataPath: ''
+      MetadataPath: '',
+      currentUrl: location.toString()
     }
   },
   watch: {

package.json

@@ -31,16 +31,17 @@
   "license": "GPL-3.0",
   "dependencies": {
     "axios": "^0.27.2",
+    "cookie-parser": "^1.4.6",
     "express": "^4.17.1",
     "express-session": "^1.17.3",
     "graceful-fs": "^4.2.10",
     "htmlparser2": "^8.0.1",
     "node-tone": "^1.0.1",
+    "nodemailer": "^6.9.2",
     "passport": "^0.6.0",
     "passport-google-oauth20": "^2.0.0",
     "passport-jwt": "^4.0.1",
     "passport-openidconnect": "^0.1.1",
-    "nodemailer": "^6.9.2",
     "sequelize": "^6.32.1",
     "socket.io": "^4.5.4",
     "sqlite3": "^5.1.6",
@@ -49,4 +50,4 @@
   "devDependencies": {
     "nodemon": "^2.0.20"
   }
-}
+}

server/Auth.js

@@ -32,7 +32,6 @@ class Auth {
         clientSecret: global.ServerSettings.authGoogleOauth20ClientSecret,
         callbackURL: global.ServerSettings.authGoogleOauth20CallbackURL
       }, (async function (accessToken, refreshToken, profile, done) {
-        // TODO: what to use as username
         // TODO: do we want to create the users which does not exist?
         const user = await Database.userModel.getUserByEmail(profile.emails[0].value.toLowerCase())
 
@@ -59,7 +58,6 @@ class Auth {
         skipUserProfile: false
       },
         (function (issuer, profile, done) {
-          // TODO: what to use as username
           // TODO: do we want to create the users which does not exist?
           var user = Database.userModel.getUserByEmail(profile.emails[0].value.toLowerCase())
 
@@ -116,7 +114,20 @@ class Auth {
     )
 
     // google-oauth20 strategy login route (this redirects to the google login)
-    router.get('/auth/google', passport.authenticate('google', { scope: ['email'] }))
+    router.get('/auth/google', (req, res, next) => {
+      const auth_func = passport.authenticate('google', { scope: ['email'] })
+      if (!req.query.callback || req.query.callback === "") {
+        res.status(400).send({
+          message: 'No callback parameter'
+        })
+        return
+      }
+      res.cookie('auth_cb', req.query.callback, {
+        maxAge: 120000 * 120, // Hack - this semms to be in UTC??
+        httpOnly: true
+      })
+      auth_func(req, res, next);
+    })
 
     // google-oauth20 strategy callback route (this receives the token from google)
     router.get('/auth/google/callback',
@@ -125,13 +136,31 @@ class Auth {
         // return the user login response json if the login was successfull
         var data_json = await this.getUserLoginResponsePayload(req.user)
         // res.json(data_json)
-        // TODO: figure out how to redirect back to the app page
-        res.redirect(301, `http://localhost:3000/login?setToken=${data_json.user.token}`)
+        // TODO: do we want to somehow limit the values for auth_cb?
+        if (req.cookies.auth_cb) {
+          res.redirect(302, `${req.cookies.auth_cb}?setToken=${data_json.user.token}`)
+        }
+        else {
+          res.status(400).send("No callback or already expired")
+        }
       }).bind(this)
     )
 
     // openid strategy login route (this redirects to the configured openid login provider)
-    router.get('/auth/openid', passport.authenticate('openidconnect'))
+    router.get('/auth/openid', (req, res, next) => {
+      const auth_func = passport.authenticate('openidconnect')
+      if (!req.query.callback || req.query.callback === "") {
+        res.status(400).send({
+          message: 'No callback parameter'
+        })
+        return
+      }
+      res.cookie('auth_cb', req.query.callback, {
+        maxAge: 120000 * 120, // Hack - this semms to be in UTC??
+        httpOnly: true
+      })
+      auth_func(req, res, next);
+    })
 
     // openid strategy callback route (this receives the token from the configured openid login provider)
     router.get('/auth/openid/callback',
@@ -140,8 +169,12 @@ class Auth {
         // return the user login response json if the login was successfull
         var data_json = await this.getUserLoginResponsePayload(req.user)
         // res.json(data_json)
-        // TODO: figure out how to redirect back to the app page
-        res.redirect(301, `http://localhost:3000/login?setToken=${data_json.user.token}`)
+        if (req.cookies.auth_cb) {
+          res.redirect(302, `${req.cookies.auth_cb}?setToken=${data_json.user.token}`)
+        }
+        else {
+          res.status(400).send("No callback or already expired")
+        }
       }).bind(this)
     )
 

server/Server.js

@@ -5,6 +5,7 @@ const http = require('http')
 const fs = require('./libs/fsExtra')
 const fileUpload = require('./libs/expressFileupload')
 const rateLimit = require('./libs/expressRateLimit')
+const cookieParser = require("cookie-parser");
 
 const { version } = require('../package.json')
 
@@ -136,6 +137,8 @@ class Server {
 
     const app = express()
 
+    // parse cookies in requests
+    app.use(cookieParser());
     // enable express-session
     app.use(expressSession({
       secret: global.ServerSettings.tokenSecret,