Improve OAuth flow detection and redirect handling

aaronskiba · aaronskiba · commit 6213ec86d32e · 2026-02-03T15:32:55.000-07:00
- Use start_with?(oauth_authorization_path) instead of include?('/oauth/authorize') for stricter path matching
- Use stored_location_for(:user) instead of session[:user_return_to] for automatic cleanup and explicit Devise scope usage
  - OAuth flow detection is tied to session[:user_return_to], so the :user scope is explicit and correct
- Add ? suffix to predicate method name

Improves security (prevents substring matches), maintainability (uses framework APIs with explicit scope), and follows Ruby conventions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -67,7 +67,8 @@ def store_location
   # rubocop:disable Metrics/AbcSize
   def after_sign_in_path_for(_resource)
     # ensure oauth2 authorization flow is not interrupted
-    return session[:user_return_to] if user_is_in_oauth_flow
+    # TODO: Unless nil, should stored_location_for(resource) always be returned?
+    return stored_location_for(:user) if user_is_in_oauth_flow?
 
     referer_path = URI(request.referer).path unless request.referer.nil?
     if from_external_domain? || referer_path.eql?(new_user_session_path) ||
@@ -80,9 +81,11 @@ def after_sign_in_path_for(_resource)
   end
   # rubocop:enable Metrics/AbcSize
 
-  def after_sign_up_path_for(_resource) # rubocop:todo Metrics/AbcSize
+  # rubocop:disable Metrics/AbcSize
+  def after_sign_up_path_for(_resource)
     # ensure oauth2 authorization flow is not interrupted
-    return session[:user_return_to] if user_is_in_oauth_flow
+    # TODO: Unless nil, should stored_location_for(resource) always be returned?
+    return stored_location_for(:user) if user_is_in_oauth_flow?
 
     referer_path = URI(request.referer).path unless request.referer.nil?
     if from_external_domain? ||
@@ -93,6 +96,7 @@ def after_sign_up_path_for(_resource) # rubocop:todo Metrics/AbcSize
       request.referer
     end
   end
+  # rubocop:enable Metrics/AbcSize
 
   def after_sign_in_error_path_for(_resource)
     (from_external_domain? ? root_path : request.referer || root_path)
@@ -204,7 +208,7 @@ def render_respond_to_format_with_error_message(msg, url_or_path, http_status, e
     end
   end
 
-  def user_is_in_oauth_flow
-    session[:user_return_to].present? && session[:user_return_to].include?('/oauth/authorize')
+  def user_is_in_oauth_flow?
+    session[:user_return_to]&.start_with?(oauth_authorization_path)
   end
 end
