Updated OAuth middleware to use the correct URL helpers

no-ref Hardcoded redirect URLs were breaking when admin and site URLs were different, or when Ghost is configured with a subdirectory.
2025-01-20 22:42:53 -05:00 · 2021-09-23 17:26:29 +01:00 · 2021-09-23 17:26:29 +01:00 · a9ea792d65
commit a9ea792d65
parent a3f46708e2
1 changed files with 7 additions and 8 deletions
--- a/core/server/web/oauth/app.js
+++ b/core/server/web/oauth/app.js
@ -36,11 +36,10 @@ module.exports = function setupOAuthApp() {
     */
    function googleOAuthMiddleware(clientId, secret) {
        return (req, res, next) => {
-            // TODO: use url config instead of the string /ghost
+            const adminURL = urlUtils.urlFor('admin', true);
            //Create the callback url to be sent to Google
-            const callbackUrl = new URL(urlUtils.getSiteUrl());
+            const callbackUrl = new URL('oauth/google/callback', adminURL);
            callbackUrl.pathname = '/ghost/oauth/google/callback';
            passport.authenticate(new GoogleStrategy({
                clientID: clientId,
@ -55,7 +54,7 @@ module.exports = function setupOAuthApp() {
                    const emails = profile.emails.filter(email => email.verified === true).map(email => email.value);
                    if (!emails.includes(req.user.get('email'))) {
-                        return res.redirect('/ghost/#/staff/?message=oauth-linking-failed');
+                        return res.redirect(new URL('#/staff?message=oauth-linking-failed', adminURL));
                    }
                    // TODO: configure the oauth data for this user (row in the oauth table)
@ -70,7 +69,7 @@ module.exports = function setupOAuthApp() {
                    //TODO: instead find the oauth row with the email use the provider id
                    const emails = profile.emails.filter(email => email.verified === true);
                    if (emails.length < 1) {
-                        return res.redirect('/ghost/#/signin?message=login-failed');
+                        return res.redirect(new URL('#/signin?message=login-failed', adminURL));
                    }
                    const email = emails[0].value;
@ -85,7 +84,7 @@ module.exports = function setupOAuthApp() {
                        let invite = await models.Invite.findOne({email, status: 'sent'}, options);
                        if (!invite || invite.get('expires') < Date.now()) {
-                            return res.redirect('/ghost/#/signin?message=login-failed');
+                            return res.redirect(new URL('#/signin?message=login-failed', adminURL));
                        }
                        //Accept invite
@ -106,7 +105,7 @@ module.exports = function setupOAuthApp() {
                await auth.session.sessionService.createSessionForUser(req, res, req.user);
-                return res.redirect('/ghost/');
+                return res.redirect(adminURL);
            }), {
                scope: ['profile', 'email'],
                session: false,
@ -133,7 +132,7 @@ module.exports = function setupOAuthApp() {
    oauthApp.get('/:provider/callback', (req, res, next) => {
        // Set the referrer as the ghost instance domain so that the session is linked to the ghost instance domain
-        req.headers.referrer = urlUtils.getSiteUrl();
+        req.headers.referrer = urlUtils.getAdminUrl();
        next();
    }, auth.authenticate.authenticateAdminApi, (req, res, next) => {
        if (req.params.provider !== 'google') {