FIX: login redirect to root path in subfolder setup (#36609)

ZogStriP · web-flow · commit 045a9521a3fd · 2025-12-11T10:42:17.000+01:00
When Discourse is served from a subfolder (e.g., /forum), logging in
from the login page itself would incorrectly redirect users to the root
domain (/) instead of the subfolder root (/forum/).

The issue had two causes:

1. The login path check in `extract_redirect_param` used the Rails
`login_path` helper which returns "/login" without the subfolder prefix.
When the browser sent the full path "/forum/login", the check
`starts_with?("/login")` failed to match, treating it as a valid
redirect target instead of rejecting it.

2. The `enter` method didn't apply the subfolder prefix when falling
back to the root path "/".

Fixed by:
- Building the full login path with `Discourse.base_path` for accurate
matching in subfolder setups
- Wrapping the fallback "/" with `path()` in `enter` to respect the
subfolder configuration
- Extracting redirect validation into `valid_redirect_uri?` for clarity

Ref - meta/t/386619
diff --git a/app/controllers/static_controller.rb b/app/controllers/static_controller.rb
@@ -28,24 +28,25 @@ class StaticController < ApplicationController
   CUSTOM_PAGES = {} # Add via `#add_topic_static_page` in plugin API
 
   def extract_redirect_param
-    redirect_path = params[:redirect]
-    if redirect_path.present?
-      begin
-        forum_host = URI(Discourse.base_url).host
-        uri = URI(redirect_path)
+    return "/" if params[:redirect].blank?
 
-        if uri.path.present? && !uri.path.starts_with?(login_path) &&
-             (uri.host.blank? || uri.host == forum_host) && uri.path =~ %r{\A\/{1}[^\.\s]*\z}
-          return "#{uri.path}#{uri.query ? "?#{uri.query}" : ""}"
-        end
-      rescue URI::Error, ArgumentError
-        # If the URI is invalid, return "/" below
-      end
-    end
+    uri = URI(params[:redirect])
+    return "/" unless valid_redirect_uri?(uri)
 
+    uri.query ? "#{uri.path}?#{uri.query}" : uri.path
+  rescue URI::Error, ArgumentError
     "/"
   end
 
+  def valid_redirect_uri?(uri)
+    return false if uri.path.blank?
+    return false if uri.path.starts_with?("#{Discourse.base_path}/login")
+    return false if uri.host.present? && uri.host != URI(Discourse.base_url).host
+    return false if !uri.path.match?(%r{\A/[^\.\s]*\z})
+
+    true
+  end
+
   def show
     if params[:id] == "login"
       destination = extract_redirect_param
@@ -152,14 +153,15 @@ def enter
 
     destination = extract_redirect_param
 
-    allow_other_hosts = false
+    allow_other_host = false
 
     if cookies[:sso_destination_url]
       destination = cookies.delete(:sso_destination_url)
-      allow_other_hosts = true
+      allow_other_host = true
     end
 
-    redirect_to(destination, allow_other_host: allow_other_hosts)
+    destination = path(destination) if destination == "/"
+    redirect_to(destination, allow_other_host:)
   end
 
   FAVICON = -"favicon"
diff --git a/spec/requests/static_controller_spec.rb b/spec/requests/static_controller_spec.rb
@@ -396,6 +396,31 @@
         expect(response).to redirect_to("/")
       end
     end
+
+    context "with a subfolder" do
+      before { set_subfolder "/sub_test" }
+
+      context "without a redirect path" do
+        it "redirects to the subfolder root" do
+          post "/login.json"
+          expect(response).to redirect_to("/sub_test/")
+        end
+      end
+
+      context "when the redirect path is the login page" do
+        it "redirects to the subfolder root" do
+          post "/login.json", params: { redirect: "#{Discourse.base_path}/login" }
+          expect(response).to redirect_to("/sub_test/")
+        end
+      end
+
+      context "when the redirect path is invalid" do
+        it "redirects to the subfolder root" do
+          post "/login.json", params: { redirect: "test" }
+          expect(response).to redirect_to("/sub_test/")
+        end
+      end
+    end
   end
 
   describe "#service_worker_asset" do
