Use POST+Redirect_with_cookie

MarcialRosales · MarcialRosales · commit 1ad9c7d9a9ed · 2025-03-12T13:10:13.000+01:00
For idp-initiated logon
diff --git a/deps/rabbitmq_management/include/rabbit_mgmt.hrl b/deps/rabbitmq_management/include/rabbit_mgmt.hrl
@@ -13,3 +13,5 @@
 -define(MANAGEMENT_PG_GROUP, management_db).
 
 -define(MANAGEMENT_DEFAULT_HTTP_MAX_BODY_SIZE, 20000000).
+
+-define(OAUTH2_ACCESS_TOKEN_COOKIE, <<"access_token">>).
diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_login.erl b/deps/rabbitmq_management/src/rabbit_mgmt_login.erl
@@ -16,23 +16,34 @@ init(Req0, State) ->
   login(cowboy_req:method(Req0), Req0, State).
 
 login(<<"POST">>, Req0, State) ->
-  {ok, Body, _} = cowboy_req:read_urlencoded_body(Req0),
-  AccessToken = proplists:get_value(<<"access_token">>, Body),
-  case rabbit_mgmt_util:is_authorized_user(Req0, #context{}, <<"">>, AccessToken, false) of
-    {true, Req1, _} ->
-      NewBody = ["<html><head></head><body><script src='js/prefs.js'></script><script type='text/javascript'>",
-          "set_token_auth('", AccessToken, "'); window.location = '", rabbit_mgmt_util:get_path_prefix(),
-          "/'</script></body></html>"],
-      Req2 = cowboy_req:reply(200, #{<<"content-type">> => <<"text/html; charset=utf-8">>}, NewBody, Req1),
-      {ok, Req2, State};
-    {false, ReqData1, Reason} ->
-      Home = cowboy_req:uri(ReqData1, #{path => rabbit_mgmt_util:get_path_prefix() ++ "/", qs => "error=" ++ Reason}),
-      ReqData2 = cowboy_req:reply(302,
-              #{<<"Location">> => iolist_to_binary(Home) },
-              <<>>, ReqData1),
-      {ok, ReqData2, State}
-  end;
+    {ok, Body, _} = cowboy_req:read_urlencoded_body(Req0),
+    AccessToken = proplists:get_value(<<"access_token">>, Body),
+    case rabbit_mgmt_util:is_authorized_user(Req0, #context{}, <<"">>, AccessToken, false) of
+        {true, Req1, _} ->     
+            SetCookie = cowboy_req:set_resp_cookie(?OAUTH2_ACCESS_TOKEN_COOKIE, AccessToken, Req1),    
+            Home = cowboy_req:uri(SetCookie, #{
+                path => rabbit_mgmt_util:get_path_prefix() ++ "/"
+            }),
+            Redirect = cowboy_req:reply(302, #{
+                 <<"Location">> => iolist_to_binary(Home) 
+            }, <<>>, SetCookie),      
+            {ok, Redirect, State};
+        {false, ReqData1, Reason} ->
+            replyWithError(Reason, ReqData1, State)
+    end;
 
 login(_, Req0, State) ->
     %% Method not allowed.
     {ok, cowboy_req:reply(405, Req0), State}.
+
+replyWithError(Reason, Req, State) ->
+    Home = cowboy_req:uri(Req, #{
+        path => rabbit_mgmt_util:get_path_prefix() ++ "/", 
+        qs => "error=" ++ Reason
+    }),
+    Req2 = cowboy_req:reply(302, #{
+        <<"Location">> => iolist_to_binary(Home) 
+    }, <<>>, Req),
+    {ok, Req2, State}.
+
+
diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_oauth_bootstrap.erl b/deps/rabbitmq_management/src/rabbit_mgmt_oauth_bootstrap.erl
@@ -18,12 +18,14 @@ init(Req0, State) ->
 bootstrap_oauth(Req0, State) ->
     AuthSettings = rabbit_mgmt_wm_auth:authSettings(),
     Dependencies = oauth_dependencies(),
+    {Req1, SetTokenAuth} = set_token_auth(AuthSettings, Req0),
     JSContent = import_dependencies(Dependencies) ++
                 set_oauth_settings(AuthSettings) ++
-                set_token_auth(AuthSettings, Req0) ++
+                SetTokenAuth ++
                 export_dependencies(Dependencies),
+    
     {ok, cowboy_req:reply(200, #{<<"content-type">> => <<"text/javascript; charset=utf-8">>},
-        JSContent, Req0), State}.
+        JSContent, Req1), State}.
 
 set_oauth_settings(AuthSettings) ->
     JsonAuthSettings = rabbit_json:encode(rabbit_mgmt_format:format_nulls(AuthSettings)),
@@ -32,12 +34,29 @@ set_oauth_settings(AuthSettings) ->
 set_token_auth(AuthSettings, Req0) ->
     case proplists:get_value(oauth_enabled, AuthSettings, false) of
         true ->
-            case cowboy_req:parse_header(<<"authorization">>, Req0) of
-                {bearer, Token} ->  ["set_token_auth('", Token, "');"];
-                _ -> []
+            case cowboy_req:parse_header(<<"Authorization">>, Req0) of
+                {bearer, Token} -> {
+                        Req0, 
+                        ["set_token_auth('", Token, "');"]
+                    };
+                _ -> 
+                    Cookies = cowboy_req:parse_cookies(Req0),
+                    case lists:keyfind(?OAUTH2_ACCESS_TOKEN_COOKIE, 1, Cookies) of 
+                        {_, Token} -> {
+                                cowboy_req:set_resp_cookie(
+                                    ?OAUTH2_ACCESS_TOKEN_COOKIE, <<>>, Req0, #{max_age => 0}), 
+                                ["set_token_auth('", Token, "');"]
+                            };
+                        false -> {
+                                Req0, 
+                                []
+                            }
+                    end
             end;
-        false ->
-            []
+        false -> {
+                Req0, 
+                []
+            }
     end.
 
 import_dependencies(Dependencies) ->
diff --git a/selenium/bin/components/fakeportal b/selenium/bin/components/fakeportal
@@ -52,7 +52,7 @@ start_fakeportal() {
     --env CLIENT_ID="${CLIENT_ID}" \
     --env CLIENT_SECRET="${CLIENT_SECRET}" \
     --env NODE_EXTRA_CA_CERTS=/etc/uaa/ca_uaa_certificate.pem \
-    -v ${TEST_CONFIG_PATH}/uaa:/etc/uaa \
+    -v ${TEST_CONFIG_DIR}/uaa:/etc/uaa \
     -v ${FAKEPORTAL_DIR}:/code/fakeportal \
     mocha-test:${mocha_test_tag} run fakeportal
 
