fix infinite redirect by clean up expired session

devopskube · Jul 5, 2021 · fbb856f · fbb856f
1 parent 518e14c
commit fbb856f
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/lib/redmine_openid_connect/application_controller_patch.rb b/lib/redmine_openid_connect/application_controller_patch.rb
@@ -1,15 +1,23 @@
 module RedmineOpenidConnect
   module ApplicationControllerPatch
     def require_login
-      return super unless (OicSession.enabled? && !OicSession.login_selector?)
-
-      if !User.current.logged?
+      if !User.current.logged? && OicSession.enabled? && OicSession.login_selector?
         if request.get?
           url = request.original_url
         else
           url = url_for(:controller => params[:controller], :action => params[:action], :id => params[:id], :project_id => params[:project_id])
         end
+        # this should fix infinite redirect
+        # because this plugin not reseting session when assigning logged user
+        # it should at least reset session when expired so it will not check every time
+        # which will cause infinite redirect
+        # also clean lingering oic sessio so that back_url still works
+        reset_session
         session[:remember_url] = url
+      end
+      return super unless (OicSession.enabled? && !OicSession.login_selector?)
+
+      if !User.current.logged?
         redirect_to oic_login_url
         return false
       end
@@ -18,7 +26,8 @@ def require_login
 
     # set the current user _without_ resetting the session first
     def logged_user=(user)
-      return super(user) unless OicSession.enabled?
+      # only override parent if the request is from ioc user
+      return super(user) unless session[:oic_session_id]
 
       if user && user.is_a?(User)
         User.current = user
@@ -29,3 +38,4 @@ def logged_user=(user)
     end
   end # ApplicationControllerPatch
 end
+