[openstreetmap/openstreetmap-website] `oauth_return_url` gets lost during registration (Issue #6130)

Tue, 24 Jun 2025 08:31:23 -0700 

tordans created an issue (openstreetmap/openstreetmap-website#6130)

### URL

_No response_

### How to reproduce the issue?

I am having trouble with our registration workflow. It used to redirect users 
back to our application. Now it returns them to the osm.org map.

(Logging into an existing account using the OAuth flow works, just the 
registration is broken.)

1. Open https://staging.tilda-geo.de/regionen/berlin, klick "Anmelden" on the 
top right
   The URL will be (decoded) has the right `redirect_uri`
    ```url
    https://master.apis.dev.openstreetmap.org/login
    ?referer=/oauth2/authorize
    ?client_id=uglV_cJniuc96GQT0-rO6sXsgJPZfat8PLCfv91qRC4
    &scope=openid%20read_prefs%20write_prefs%20write_notes
    &response_type=code
    
&redirect_uri=https%3A%2F%2Fstaging.tilda-geo.de%2Fapi%2Fauth%2Fosm%2Fcallback
    &nextauth=osm%2Clogin
    &state=7aAEVSZmtmifFGXnQsbdS8lZgFxeFvGd5JvFKfx-r2s
    &code_challenge=fsijUEaNJ4UFBdXM4yuBK0PhiosI6H5LFsuvhZBdR14
    &code_challenge_method=S256
    ```
    (Observation: The second `?` seems wrong)

2. Switch to registration, the URL (decoded) still has the right `redirect_uri` 
    ```url
    https://master.apis.dev.openstreetmap.org/user/new
    ?referer=/oauth2/authorize
    ?client_id=uglV_cJniuc96GQT0-rO6sXsgJPZfat8PLCfv91qRC4
    &scope=openid%20read_prefs%20write_prefs%20write_notes
    &response_type=code
    
&redirect_uri=https%3A%2F%2Fstaging.tilda-geo.de%2Fapi%2Fauth%2Fosm%2Fcallback
    &nextauth=osm%2Clogin
    &state=7aAEVSZmtmifFGXnQsbdS8lZgFxeFvGd5JvFKfx-r2s
    &code_challenge=fsijUEaNJ4UFBdXM4yuBK0PhiosI6H5LFsuvhZBdR14
    &code_challenge_method=S256
    ```
    Which is also present in the HTML
    `<input type="hidden" name="referer" id="referer" 
value="/oauth2/authorize?client_id=uglV_cJniuc96GQT0-rO6sXsgJPZfat8PLCfv91qRC4&amp;scope=openid%20read_prefs%20write_prefs%20write_notes&amp;response_type=code&amp;redirect_uri=https%3A%2F%2Fstaging.tilda-geo.de%2Fapi%2Fauth%2Fosm%2Fcallback&amp;nextauth=osm%2Clogin&amp;state=7aAEVSZmtmifFGXnQsbdS8lZgFxeFvGd5JvFKfx-r2s&amp;code_challenge=fsijUEaNJ4UFBdXM4yuBK0PhiosI6H5LFsuvhZBdR14&amp;code_challenge_method=S256"
 autocomplete="off">`
    Which is also submitted when I submit the form.

3. I then get an e-mail with this URL, which also look OK because it includes 
the `redirect_uri` param
     (Note to self: When testing this, not all emails had this referrer; I am 
not aware of a issue in my test cases so maybe there is something else going 
on…)
    ```url
    https://master.apis.dev.openstreetmap.org/user/test4tobias/confirm
    
?confirm_string=eyJfcmFpbHMiOnsiZGF0YSI6WzIyMzQ1LCI1ZjlkNTgwNDU4NThmYTE4ZTE0MDRhNGM1OTczZWYxYTQ0NDM4NWU5ZTg5ZWIwNTMzMDJjNjBlYjQyNWIzNjY1Il0sImV4cCI6IjIwMjUtMDctMDFUMTU6MjA6NTYuNjI2WiIsInB1ciI6IlVzZXJcbm5ld191c2VyXG42MDQ4MDAifX0%3D--08aa4f4e33a3028efd12169d36b719d6097868be
    
referer=%2Fwelcome%3Foauth_return_url%3D%252Foauth2%252Fauthorize%253Fclient_id%253DuglV_cJniuc96GQT0-rO6sXsgJPZfat8PLCfv91qRC4%2526scope%253Dopenid%252520read_prefs%252520write_prefs%252520write_notes%2526response_type%253Dcode%2526redirect_uri%253Dhttps%25253A%25252F%25252Fstaging.tilda-geo.de%25252Fapi%25252Fauth%25252Fosm%25252Fcallback%2526nextauth%253Dosm%25252Clogin%2526state%253DXERbLiSBIbCdHZWJQlI0wCP48XahJhi6bHeh4dnof3A%2526code_challenge%253D5zjEUEM5ZhYNrXdclX8kVXfEyWvuWei2-ZJPt5svYj4%2526code_challenge_method%253DS256
    ```

4. ISSUE: When I open that link, I get the regular welcome page with the "Start 
mapping", not the OAuth welcome page:
    > <img width="948" alt="Image" 
src="https://github.com/user-attachments/assets/56508876-df3b-4d28-9913-af6ccc710235";
 />

    - This is where the right Button should be picked 
https://github.com/openstreetmap/openstreetmap-website/blob/master/app/views/site/welcome.html.erb#L81-L85
    - This is where the param that is used to pick the right button is set 
https://github.com/openstreetmap/openstreetmap-website/blob/master/app/controllers/users_controller.rb#L209
    - There where some updates to this a year ago … 
https://github.com/openstreetmap/openstreetmap-website/commit/74cc88fce4982777d5f78e016940159de655c817



### Screenshot(s) or anything else?

_No response_

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/6130
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/6...@github.com>
_______________________________________________
rails-dev mailing list
rails-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/rails-dev

Reply via email to