Ignore anything that isn't a URI path when returning

alexstone · corrieleech · alexstone · commit ff2224f0d04f · 2024-12-09T15:21:07.000-05:00
Co-Authored-By: Corrie &lt;87617609+corrieleech@users.noreply.github.com&gt;
diff --git a/app/controllers/kracken/sessions_controller.rb b/app/controllers/kracken/sessions_controller.rb
@@ -1,10 +1,10 @@
 # frozen_string_literal: true
 
 module Kracken
-  class SessionsController < ActionController::Base
+  class SessionsController < ActionController::Base # rubocop:disable Rails/ApplicationController
     protect_from_forgery with: :exception
 
-    def create
+    def create # rubocop:disable Metrics/AbcSize
       @user = user_class.find_or_create_from_auth_hash(auth_hash)
       session[:user_id] = @user.id
       session[:user_uid] = @user.uid
@@ -24,10 +24,12 @@ def failure
       render text: "Sorry, but you didn't allow access to our app!"
     end
 
-    protected
+  protected
 
     def return_to_path
-      request.env['omniauth.origin'] || "/"
+      return "/" unless request.env['omniauth.origin'].starts_with?('/')
+
+      request.env['omniauth.origin']
     end
 
     def auth_hash
