Improve OAuth flow detection and redirect handling

aaronskiba · aaronskiba · commit 8fdd9080d9f0 · 2026-02-03T14:51:27.000-07:00
- Use start_with?(oauth_authorization_path) instead of include?('/oauth/authorize') for stricter path matching
- Use stored_location_for(resource) instead of session[:user_return_to] for automatic cleanup and Devise API compliance
- Add ? suffix to predicate method name

Improves security (prevents substring matches), maintainability (uses framework APIs), and follows Ruby conventions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -65,9 +65,10 @@ def store_location
   end
 
   # rubocop:disable Metrics/AbcSize
-  def after_sign_in_path_for(_resource)
+  def after_sign_in_path_for(resource)
     # ensure oauth2 authorization flow is not interrupted
-    return session[:user_return_to] if user_is_in_oauth_flow
+    # TODO: Unless nil, should stored_location_for(resource) always be returned?
+    return stored_location_for(resource) if user_is_in_oauth_flow?
 
     referer_path = URI(request.referer).path unless request.referer.nil?
     if from_external_domain? || referer_path.eql?(new_user_session_path) ||
@@ -80,9 +81,11 @@ def after_sign_in_path_for(_resource)
   end
   # rubocop:enable Metrics/AbcSize
 
-  def after_sign_up_path_for(_resource) # rubocop:todo Metrics/AbcSize
+  # rubocop:disable Metrics/AbcSize
+  def after_sign_up_path_for(resource)
     # ensure oauth2 authorization flow is not interrupted
-    return session[:user_return_to] if user_is_in_oauth_flow
+    # TODO: Unless nil, should stored_location_for(resource) always be returned?
+    return stored_location_for(resource) if user_is_in_oauth_flow?
 
     referer_path = URI(request.referer).path unless request.referer.nil?
     if from_external_domain? ||
@@ -93,6 +96,7 @@ def after_sign_up_path_for(_resource) # rubocop:todo Metrics/AbcSize
       request.referer
     end
   end
+  # rubocop:enable Metrics/AbcSize
 
   def after_sign_in_error_path_for(_resource)
     (from_external_domain? ? root_path : request.referer || root_path)
@@ -204,7 +208,7 @@ def render_respond_to_format_with_error_message(msg, url_or_path, http_status, e
     end
   end
 
-  def user_is_in_oauth_flow
-    session[:user_return_to].present? && session[:user_return_to].include?('/oauth/authorize')
+  def user_is_in_oauth_flow?
+    session[:user_return_to]&.start_with?(oauth_authorization_path)
   end
 end
