From 9e0a3b82296747e00a5d0ac2df855e7f12aa9c2a Mon Sep 17 00:00:00 2001
From: Saurabh Patel <saurabh.finch@gmail.com>
Date: Tue, 23 Jul 2019 21:46:03 +0530
Subject: [PATCH] bug: keep query params present in auth_redirect (#7923)

https://meta.discourse.org/t/user-api-keys-payload-and-existing-query-string-leads-to-a-double-question-mark/123617
---
 app/controllers/user_api_keys_controller.rb    |  9 ++++++---
 spec/requests/user_api_keys_controller_spec.rb | 17 +++++++++++++++++
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/app/controllers/user_api_keys_controller.rb b/app/controllers/user_api_keys_controller.rb
index a30addfd32b..d5d9e09cb6d 100644
--- a/app/controllers/user_api_keys_controller.rb
+++ b/app/controllers/user_api_keys_controller.rb
@@ -93,9 +93,12 @@ class UserApiKeysController < ApplicationController
     end
 
     if params[:auth_redirect]
-      redirect_path = +"#{params[:auth_redirect]}?payload=#{CGI.escape(@payload)}"
-      redirect_path << "&oneTimePassword=#{CGI.escape(otp_payload)}" if scopes.include?("one_time_password")
-      redirect_to(redirect_path)
+      uri = URI.parse(params[:auth_redirect])
+      query_attributes = [uri.query, "payload=#{CGI.escape(@payload)}"]
+      query_attributes << "oneTimePassword=#{CGI.escape(otp_payload)}" if scopes.include?("one_time_password")
+      uri.query = query_attributes.compact.join('&')
+
+      redirect_to(uri.to_s)
     else
       respond_to do |format|
         format.html { render :show }
diff --git a/spec/requests/user_api_keys_controller_spec.rb b/spec/requests/user_api_keys_controller_spec.rb
index 06557d6a358..43aac9e83f1 100644
--- a/spec/requests/user_api_keys_controller_spec.rb
+++ b/spec/requests/user_api_keys_controller_spec.rb
@@ -260,6 +260,23 @@ describe UserApiKeysController do
       post "/user-api-key.json", params: args
       expect(response.status).to eq(302)
     end
+
+    it 'will keep query_params added in auth_redirect' do
+      SiteSetting.min_trust_level_for_user_api_key = 0
+      SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect] + "/*"
+
+      user = Fabricate(:user, trust_level: 0)
+      sign_in(user)
+
+      query_str = "/?param1=val1"
+      args[:auth_redirect] = args[:auth_redirect] + query_str
+
+      post "/user-api-key.json", params: args
+      expect(response.status).to eq(302)
+
+      uri = URI.parse(response.redirect_url)
+      expect(uri.to_s).to include(query_str)
+    end
   end
 
   context '#create-one-time-password' do