MC-43161: "Invalid security or form key. Please refresh the page" error message after login with custom backend frontname and URL secret key enabled.

Author: bubasuma

app/code/Magento/Backend/App/Action/Plugin/Authentication.php

@@ -225,10 +225,9 @@ protected function _redirectIfNeededAfterLogin(\Magento\Framework\App\RequestInt
 
         // Checks, whether secret key is required for admin access or request uri is explicitly set
         if ($this->_url->useSecretKey()) {
-            $requestParts = explode('/', trim($request->getRequestUri(), '/'), 3);
-            $baseUrlPath = trim(parse_url($this->backendUrl->getBaseUrl(), PHP_URL_PATH), '/');
-            $routeIndex = empty($baseUrlPath) ? 0 : 1;
-            $requestUri = $this->_url->getUrl($requestParts[$routeIndex]);
+            // The requested URL has an invalid secret key and therefore redirecting to this URL
+            // will cause a security vulnerability.
+            $requestUri = $this->_url->getUrl($this->_url->getStartupPageUrl());
         } elseif ($request) {
             $requestUri = $request->getRequestUri();
         }

app/code/Magento/Backend/Test/Mftf/ActionGroup/AdminLoginWithCustomUrlActionGroup.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AdminLoginWithCustomUrlActionGroup" extends="AdminLoginActionGroup">
+        <annotations>
+            <description>Login to specific backend URL.</description>
+        </annotations>
+        <arguments>
+            <argument name="customUrl" type="string"/>
+        </arguments>
+
+        <amOnPage url="{{customUrl}}" stepKey="navigateToAdmin"/>
+    </actionGroup>
+</actionGroups>

app/code/Magento/Backend/Test/Mftf/Section/AdminHeaderSection.xml

@@ -17,5 +17,6 @@
         <element name="pageHeading" type="text" selector=".page-content .page-heading"/>
         <!-- Used for page not found error -->
         <element name="pageNotFoundTitle" type="text" selector=".page-title span"/>
+        <element name="signOut" type="button" selector=".page-header .account-signout"/>
     </section>
 </sections>

app/code/Magento/Backend/Test/Mftf/Test/AdminRedirectToStartupPageAfterLoginIfSecretKeyEnabledTest.xml

@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<tests xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/testSchema.xsd">
+    <test name="AdminRedirectToStartupPageAfterLoginIfSecretKeyEnabledTest">
+        <annotations>
+            <features value="Backend"/>
+            <stories value="Login on the Admin Backend"/>
+            <title value="Admin should not be redirected to the requested page after login if secret key is enabled"/>
+            <description value="Admin should not be redirected to the requested page after login if secret key is enabled"/>
+            <severity value="AVERAGE"/>
+            <testCaseId value="AC-1145"/>
+            <useCaseId value="MC-43161"/>
+            <group value="backend"/>
+        </annotations>
+        <before>
+            <!-- Add Secret Key to URLs -->
+            <magentoCLI command="config:set admin/security/use_form_key 1" stepKey="enableUrlSecretKeys"/>
+            <actionGroup ref="AdminLoginActionGroup" stepKey="loginAsAdmin"/>
+        </before>
+        <after>
+            <magentoCLI command="config:set admin/security/use_form_key 0" stepKey="disableUrlSecretKeys"/>
+            <actionGroup ref="AdminLogoutActionGroup" stepKey="logoutFromAdmin"/>
+        </after>
+
+        <!-- Assert succesful login without any error message -->
+        <dontSeeElement selector="{{AdminMessagesSection.error}}" stepKey="dontSeeErrorMessage1"/>
+        <!-- Assert current page is dashboard -->
+        <seeCurrentUrlMatches regex="~\/admin\/dashboard\/~" stepKey="seeCurrentUrlMatchesDashboardUrl"/>
+        <grabFromCurrentUrl stepKey="dashboardUrl"/>
+        <!-- Navigate to web configuration -->
+        <actionGroup ref="AdminNavigateMenuActionGroup" stepKey="navigateToFindPartnersAndExtensions">
+            <argument name="menuUiId" value="magento-backend-stores"/>
+            <argument name="submenuUiId" value="magento-config-system-config"/>
+        </actionGroup>
+        <actionGroup ref="AdminOpenConfigNavItemActionGroup" stepKey="navigateToWebConfig">
+            <argument name="navItem" value="Web" />
+        </actionGroup>
+        <!-- Grab current URL -->
+        <grabFromCurrentUrl stepKey="webConfigurationUrl"/>
+        <!-- Logout -->
+        <grabAttributeFrom selector="{{AdminHeaderSection.signOut}}" userInput="href" stepKey="logoutUrl"/>
+        <amOnPage url="{$logoutUrl}" stepKey="logout2"/>
+        <!-- Login with directt url -->
+        <actionGroup ref="AdminLoginWithCustomUrlActionGroup" stepKey="loginAndRedirectToRequestedPage">
+            <argument name="customUrl" value="$webConfigurationUrl"/>
+        </actionGroup>
+        <!-- Assert succesful login without any error message -->
+        <dontSeeElement selector="{{AdminMessagesSection.error}}" stepKey="dontSeeErrorMessage2"/>
+        <!-- Assert current page is dashboard -->
+        <seeCurrentUrlMatches regex="~\/admin\/dashboard\/~" stepKey="seeCurrentUrlMatchesDashboardUrl2"/>
+    </test>
+</tests>