Skip to content

follow returnTo when hitting /login while already logged in#221

Merged
david-crespo merged 4 commits into
mainfrom
redirect-logged-in-returnto
Jun 30, 2026
Merged

follow returnTo when hitting /login while already logged in#221
david-crespo merged 4 commits into
mainfrom
redirect-logged-in-returnto

Conversation

@david-crespo

Copy link
Copy Markdown
Contributor

I tried to go to RFD 704 in a browser where I was logged out (I use Chrome for Google Meet and nothing else). I landed on https://rfd.shared.oxide.computer/login?returnTo=/rfd/0704. I copied and pasted that URL into the browser I normally use because that's where I want to read it. I got taken to / instead of RFD 704. Turns out this is because we ignore returnTo. So in this change we stop doing that.

@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
rfd-site Ready Ready Preview Jun 30, 2026 8:33pm

Request Review

Comment thread app/routes/login.tsx
decoded = decodeURIComponent(path)
} catch {
return '/'
}

@david-crespo david-crespo Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was just hardening against an edge case failure mode, classic GPT-5.5. Seems fine: low cost, covered in new unit test.

@david-crespo david-crespo requested a review from fakemonster June 30, 2026 17:47
Comment thread app/services/auth.server.ts Outdated
export { auth, handleAuthenticationCallback }

const RFD_PATH = /^\/rfd\/[0-9]{1,4}\??.*$/
const RFD_PATH = /^\/rfd\/[0-9]{1,4}(?:\/discussion)?(?:\?.*)?$/

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the previous regex was effectively /^\/rfd\/[0-9]{1,4}/ (\??.* simplifies to .*, .*$ in practice simplifies to nothing at all), so now this regex DOES explicitly match for RFD paths and not just "things that start with an RFD path". good fix

but: why does /discussion make the cut here, and not pdf, raw, etc? i could make an argument to tolerate any sub-path at all, honestly (as long as you see a slash after the rfd digits, it "looks right enough" within this context). would help to have some elaboration in the tests (or a commit message) of why discussion gets the special case, and perhaps to move the /raw example in the tests to the 'rejects non-RFD paths' test, since it's not really malformed. if we really do want to reject all other rfd sub-paths, that is

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I saw this go by as a robot choice but didn't really think about why. Turns out it had a decent reason. /discussion gets included is because it's the only subpath the app currently constructs as a returnTo.

// !rfd covers both non-existent and private RFDs for the logged-out user. In
// both cases, once they log in, if they have permission to read it, they'll
// get the redirect, otherwise they will get 404.
if (!rfd && !user) throw redirect(`/login?returnTo=/rfd/${formatRfdNum(num)}/discussion`)

/raw defines a returnTo, but it goes to the RFD page, not /raw:

// If someone goes to a private RFD but they're not logged in, they will
// want to log in and see it.
if (!rfd && !user) throw redirect(`/login?returnTo=/rfd/${formatRfdNum(num)}`)

and /pdf just 404s if you hit it while logged out on a private RFD.

const user = await authenticate(request)
const rfd = await fetchRfdPdf(num, user)
if (!rfd || rfd.content.length === 0) throw new Response('Not Found', { status: 404 })

This status quo doesn't really make sense — /raw and /pdf should also construct returnTo using their actual paths. So I fixed that in 8b7f1a5 and loosened the regex to allow any subpath.

@david-crespo david-crespo merged commit 8ec6df1 into main Jun 30, 2026
4 checks passed
@david-crespo david-crespo deleted the redirect-logged-in-returnto branch June 30, 2026 21:14
@david-crespo

Copy link
Copy Markdown
Contributor Author

Confirmed it works in prod.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants