Preserve query parameter through redirection

[SirTimme]

Hello,
im using form auth in combination with session auth to protect my routes in Ktor server. When i make an unauthenticated request to a protected route, I am storing the original requested route to redirect after successful authentication. It works so far so good, but now I want to also preserve any query parameters through redirection.

My setup looks like this:

install(Authentication) {
    session<UserSession>("session-authentication") {
        validate { session ->
            session
        }
        challenge {
            call.respondRedirect("/auth/login?origin=${call.request.uri}")
        }
    }
}

So when I make a request to the protected route /devices/5?a=b&c=d, Ktor correctly constructs the uri /auth/login?origin=/devices/42?a=b&c=d.
However after successful authentication, Ktor redirects me to /devices/42?a=b so the second query param c=d and the & got dropped. I suspect that Ktor thought that the second query param was part of the /auth/login route rather then being part of the origin query parameter.
How can i change that behaviour to pass every query parameter so the redirection correctly preserves all of them?

I tried the following:

• call.respondRedirect("/auth/login?origin=${call.request.uri.encodeURLParameter()}")
• call.respondRedirect("/auth/login?origin=${call.request.uri.encodeURLPath()}")
• call.respondRedirect("/auth/login?origin=${call.request.uri.replace("&", "%26"}")

Sadly, none of my attemps yielded the wanted behaviour. I hope you can point me in the correct direction

[bjhham]

I'd expect encodeUrlParameter() to work just fine. This seems like it could be an issue in Ktor for how the redirect encoding/decoding is handled. One option you could use is to just include the origin in a header for now.

[bjhham]

@SirTimme could you provide a minimum reproducer?

When trying in a simple test it seems the concoding works:

@Test
fun testRedirectWithParameter() = testApplication {
    routing {
        get("/from") {
            call.respondRedirect("/to?origin=${call.request.uri.encodeURLParameter(true)}")
        }
        get("/to") {
            call.respondText("Origin: ${call.request.queryParameters["origin"]}")
        }
    }
    client.get("/from?foo=1&bar=2").apply {
        assertEquals(HttpStatusCode.OK.value, status.value)
        assertEquals("Origin: /from?foo=1&bar=2", bodyAsText()) // passes
    }
}

[SirTimme]

Hi, thanks for the answer! I am sorry, I just noticed your reply so my answer is a bit late. I tried to make the reproducer as minimal as possible and it can be found under https://github.com/SirTimme/ktor-redirection-reproducer

Steps to reproduce

• Start the project with ./gradlew run
• Navigate to /authenticated/52?a=b&c=d
• Redirection happens to /login?origin=%2Fauthenticated%2F56%3Fa%3Db%26c%3Dd since the /authenticated route is guarded with session auth
• Enter the credentials admin / admin and hit login
• Redirection happens to /authenticated/56?a=b and the second c=d got dropped.

---

The session auth guard around the /authenticated route is implemented like this:

authenticate("session-authentication") {
   get("/authenticated/{id}") {
      call.respondText("I am authenticated!")
   }
}

The redirection logic after the login validation is implemented like this:

post("/login") {
   val userPrincipal = call.principal<UserIdPrincipal>()!!
   call.sessions.set(UserSession(userPrincipal.name))
   call.respondRedirect(call.request.queryParameters["origin"]!!)
}

and I suspect that Ktor assumes that the c=d is a query param of the /login route rather than being part of the origin query param.

Let me know if you need additional information from my side. I appreciate you for looking into this issue :)
Greetings

[SirTimme]

@bjhham Would it be possible that you look into my reproducer and validate if there are any mistakes on my side?
I don't want to rush you but it felt like a reasonable time span to bump the post 🫣

[bjhham]

Hey, sorry for the delay!

It looks like the problem is the missing encoding on the action form field in the form:

action = "/login?origin=${call.request.queryParameters["origin"]}"

Should be:

action = "/login?origin=${call.request.queryParameters["origin"]?.encodeURLParameter(true)}"

This should fix the issue with c=d getting dropped 👍