3liz / lizmap-web-client

Transfer a QGIS project on a server, Lizmap is providing the web interface to browse it
https://www.lizmap.com
Mozilla Public License 2.0
257 stars 143 forks source link

[Bug]: When using auth URL params (auth_login, url_password and auth_url_return) redirections not working properly. #3152

Open jaitor1 opened 2 years ago

jaitor1 commented 2 years ago

What is the bug?

Continuation of #1980 and #1957 as they were closed and I am still experiencing the issue.

When using auth URL params (auth_login, url_password and auth_url_return) redirections not working properly.

I created a test map and dumb user/pass for this test. I modified the login form and added the allowAnyOrigin="true" to be able to log in via url parms. Don't worry about security, it is only used within a local network, in a controlled environment:

http://eudala2.getxo.eus/lizmap/www/admin.php/auth/login/in?&auth_login=borrar&auth_password=borrar_test&auth_url_return=%2Flizmap%2Fwww%2Findex.php%2Fview%2Fmap%2F%3Frepository%3Dtest%26project%3Dtest

  1. First time you click on the link you get redirected to the login website. It does not log in although I have already entered the user and pass via URL params and it does not redirect to the specified map neither. I'm not sure if this particular misbehavior is a lizmap issue or a security misconfiguration in the administration I work for.

  2. But second time you click on the link you get logged in correctly and redirected to the map properly.

  3. Third time + you are already logged in correctly but you get always redirected to the admin website instead of to the map.

In short, it only works the second time you hit the link.

Steps to reproduce the issue

Already specified in bug description.

Versions

Check Lizmap plugin

QGIS server version, only if the section above doesn't mention the QGIS Server version

3.10

Operating system

Windows Server 2016

Browsers

Firefox, Chrome, Safari, Microsoft Edge

Browsers version

90

Relevant log output

No response

Gustry commented 2 years ago

Lizmap version: 3.3.3

This is not a supported version. Can you try with latest 3.5.5 ?

3.3.3 is very old, released in december 2019 ... https://github.com/3liz/lizmap-web-client/releases/tag/3.3.3

jaitor1 commented 2 years ago

I installed version 3.5.5 on my server and I get the exact same behaviour.

You can check it yourself: http://eudala2.getxo.eus/lizmap35/admin.php/auth/login/in?&auth_login=borrar&auth_password=borrar_test&auth_url_return=%2Flizmap35%2Findex.php%2Fview%2Fmap%2F%3Frepository%3Dtest%26project%3Dtest

nworr commented 2 years ago

After some test it seems that the url return param generate a redirection in all cases (user logged or not) when used in the auth/login/ url (not /in which is uses to process login form) In my case the following Url worked in lizmap 3.5 , can you try it ?

http://eudala2.getxo.eus/lizmap35/admin.php/auth/login/?&auth_login=borrar&auth_password=borrar_test&auth_url_return=%2Flizmap35%2Findex.php%2Fview%2Fmap%2F%3Frepository%3Dtest%26project%3Dtest

in old version (3.3) behaviour is still the same with le login/ url

jaitor1 commented 2 years ago

After some test it seems that the url return param generate a redirection in all cases (user logged or not) when used in the auth/login/ url (not /in which is uses to process login form) In my case the following Url worked in lizmap 3.5 , can you try it ?

http://eudala2.getxo.eus/lizmap35/admin.php/auth/login/?&auth_login=borrar&auth_password=borrar_test&auth_url_return=%2Flizmap35%2Findex.php%2Fview%2Fmap%2F%3Frepository%3Dtest%26project%3Dtest

in old version (3.3) behaviour is still the same with le login/ url

@nworr thanks for your input.

Seems like in v3.5 the url you are giving (/auth/login?) redirects ok to map once you are logged in. But it is not different from going directly to the map (http://eudala2.getxo.eus/lizmap35/index.php/view/map/?repository=test&project=test) as you are already logged in. The url (/auth/login?) does not log in so does not really solve the problem.

A working URL should loginn and after that redirect to the map, all in one unique URL. If you are already logged in, just redirect to the map.

In v.3.3, as you mention, (/auth/login?) is not even redirecting to the map after you are logged in.

nworr commented 2 years ago

According to me, there can't be a unique URL with the desired behaviour, When not authenticated the aut_* params are used to perform a non-interactive login and redirect to a provided url , but once the user is authenticated, the login form is out of sense , so all de log in process is ignored.

Maybe a trick can be made using a public project and a custom javascript wich detect if user is connected and redirect browser to the project URL or the login URL with auth_* params

jaitor1 commented 2 years ago

When not authenticated the aut_* params are used to perform a non-interactive login and redirect to a provided url , but once the user is authenticated, the login form is out of sense , so all de log in process is ignored.

The problem is that this non-interactive login is not working properly as you need to click the url twice to make it work. First call takes you to the manual login form site. Second time logins ok and redirects ok: http://eudala2.getxo.eus/lizmap35/admin.php/auth/login/in?&auth_login=borrar&auth_password=borrar_test&auth_url_return=%2Flizmap35%2Findex.php%2Fview%2Fmap%2F%3Frepository%3Dtest%26project%3Dtest

but once the user is authenticated, the login form is out of sense , so all de log in process is ignored.

This should be the proper behaviour but it is not working like that as it carries you to the admin panel if you continue clicking the link.

P.S.: I can't remove the feeback tag

3liz-bot commented 2 years ago

This issue is missing some feedbacks. 👻 Please have a look to the discussion, thanks. 🦎

jaitor1 commented 2 years ago

This issue is missing some feedbacks. 👻 Please have a look to the discussion, thanks. 🦎

Can someone remove the feedback tag? I have already provided feedback