SSO: redirect to public URL before setting cookies (#9436)

... otherwise, we don't get the cookie back.
2025-07-31 20:58:40 -04:00 · 2021-02-26 14:02:06 +00:00 · 2021-02-26 14:02:06 +00:00 · 15090de850
commit 15090de850
parent e53f11bd62
7 changed files with 130 additions and 28 deletions
--- a/synapse/rest/client/v1/login.py
+++ b/synapse/rest/client/v1/login.py
@ -20,6 +20,7 @@ from synapse.api.errors import Codes, LoginError, SynapseError
 from synapse.api.ratelimiting import Ratelimiter
 from synapse.appservice import ApplicationService
 from synapse.handlers.sso import SsoIdentityProvider
+from synapse.http import get_request_uri
 from synapse.http.server import HttpServer, finish_request
 from synapse.http.servlet import (
    RestServlet,
@ -354,6 +355,7 @@ class SsoRedirectServlet(RestServlet):
            hs.get_oidc_handler()
        self._sso_handler = hs.get_sso_handler()
        self._msc2858_enabled = hs.config.experimental.msc2858_enabled
+        self._public_baseurl = hs.config.public_baseurl

    def register(self, http_server: HttpServer) -> None:
        super().register(http_server)
@ -373,6 +375,32 @@ class SsoRedirectServlet(RestServlet):
    async def on_GET(
        self, request: SynapseRequest, idp_id: Optional[str] = None
    ) -> None:
+        if not self._public_baseurl:
+            raise SynapseError(400, "SSO requires a valid public_baseurl")
+
+        # if this isn't the expected hostname, redirect to the right one, so that we
+        # get our cookies back.
+        requested_uri = get_request_uri(request)
+        baseurl_bytes = self._public_baseurl.encode("utf-8")
+        if not requested_uri.startswith(baseurl_bytes):
+            # swap out the incorrect base URL for the right one.
+            #
+            # The idea here is to redirect from
+            #    https://foo.bar/whatever/_matrix/...
+            # to
+            #    https://public.baseurl/_matrix/...
+            #
+            i = requested_uri.index(b"/_matrix")
+            new_uri = baseurl_bytes[:-1] + requested_uri[i:]
+            logger.info(
+                "Requested URI %s is not canonical: redirecting to %s",
+                requested_uri.decode("utf-8", errors="replace"),
+                new_uri.decode("utf-8", errors="replace"),
+            )
+            request.redirect(new_uri)
+            finish_request(request)
+            return
+
        client_redirect_url = parse_string(
            request, "redirectUrl", required=True, encoding=None
        )