feat(login-app): redirect uri

vatsalparikh · vatsalparikh · commit 26cc19660f14 · 2026-03-26T15:35:42.000-07:00
diff --git a/apps/login-app/src/lib/redirect.constants.ts b/apps/login-app/src/lib/redirect.constants.ts
@@ -0,0 +1,16 @@
+/**
+ *
+ * Copyright © 2026 Ping Identity Corporation. All right reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ *
+ **/
+
+/**
+ * Shared constants for redirect handling in the login-app.
+ */
+
+export const REDIRECT_FALLBACK = 'https://www.pingidentity.com/en.html';
+
+export const REDIRECT_QUERY_PARAMS = 'redirect_query_params';
diff --git a/apps/login-app/src/lib/server/locale.ts b/apps/login-app/src/lib/server/locale.ts
@@ -0,0 +1,34 @@
+/**
+ *
+ * Copyright © 2026 Ping Identity Corporation. All right reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ *
+ **/
+
+import type { z } from 'zod';
+
+import { getLocale } from '$core/_utilities/i18n.utilities';
+
+import type { stringsSchema } from '$core/locale.store';
+
+export async function loadLocaleContent(userLocale: string) {
+  const locale = getLocale(userLocale, '/');
+  const [country, lang] = locale.split('/');
+
+  let localeContent: { default: z.infer<typeof stringsSchema> };
+
+  try {
+    localeContent = await import(`$locales/${country}/${lang}/index.json`);
+  } catch (err) {
+    console.error(`User locale content for ${userLocale} was not found.`);
+
+    // TODO: Reevaluate use of JS versus JSON without breaking type generation for lib
+    // eslint-disable-next-line
+    // @ts-ignore
+    localeContent = await import(`$locales/us/en/index.json`);
+  }
+
+  return localeContent.default;
+}
diff --git a/apps/login-app/src/routes/(app)/+page.server.ts b/apps/login-app/src/routes/(app)/+page.server.ts
@@ -1,37 +1,56 @@
 /**
  *
- * Copyright © 2025 Ping Identity Corporation. All right reserved.
+ * Copyright © 2025-2026 Ping Identity Corporation. All right reserved.
  *
  * This software may be modified and distributed under the terms
  * of the MIT license. See the LICENSE file for details.
  *
  **/
 
-import type { RequestEvent } from '@sveltejs/kit';
 import type { PageServerLoad } from './$types';
-import type { z } from 'zod';
-
-import { getLocale } from '$core/_utilities/i18n.utilities';
-
-import type { stringsSchema } from '$core/locale.store';
-
-export const load: PageServerLoad = async (event: RequestEvent) => {
-  const userLocale = event.request.headers.get('accept-language') || 'en-US';
-  const locale = getLocale(userLocale, '/');
-  const [country, lang] = locale.split('/');
-
-  let localeContent: { default: z.infer<typeof stringsSchema> };
-
-  try {
-    localeContent = await import(`$locales/${country}/${lang}/index.json`);
-  } catch (err) {
-    console.error(`User locale content for ${userLocale} was not found.`);
-
-    // TODO: Reevaluate use of JS versus JSON without breaking type generation for lib
-    // eslint-disable-next-line
-    // @ts-ignore
-    localeContent = await import(`$locales/us/en/index.json`);
+import { loadLocaleContent } from '$server/locale';
+
+import { REDIRECT_QUERY_PARAMS } from '$lib/redirect.constants';
+
+export const load: PageServerLoad = async ({ request, url, cookies }) => {
+  // https://docs.pingidentity.com/pingam/8/am-oauth2/oauth2-parameters.html#redirect-uri
+  const redirectUri = url.searchParams.get('goto');
+
+  const userLocale = request.headers.get('accept-language') || 'en-US';
+  const content = await loadLocaleContent(userLocale);
+
+  if (redirectUri) {
+    try {
+      // Normalize common inputs into something URL parsing + AM validateGoto can consistently handle.
+      // Examples:
+      // - '/path' stays relative (will be resolved against this app's origin below)
+      // - 'example.com/path' becomes 'https://example.com/path'
+      // - 'https://…' stays as-is
+      const normalizedRedirectUri =
+        redirectUri.startsWith('http://') ||
+        redirectUri.startsWith('https://') ||
+        redirectUri.startsWith('/')
+          ? redirectUri
+          : `https://${redirectUri}`;
+
+      // Parse into a real URL object. If the input is relative (e.g. '/path'), use this app's origin
+      // as the base so we end up with a full absolute URL in `parsed.href`.
+      const parsed = new URL(normalizedRedirectUri, url.origin);
+
+      // Only persist http(s) redirects. Other schemes like 'javascript:' are ignored.
+      if (parsed.protocol === 'https:' || parsed.protocol === 'http:') {
+        cookies.set(REDIRECT_QUERY_PARAMS, parsed.href, {
+          httpOnly: true,
+          sameSite: 'lax',
+          secure: url.protocol === 'https:',
+          maxAge: 300,
+          path: '/',
+        });
+      }
+    } catch {
+      // Ignore invalid redirectUri values
+    }
   }
 
-  return { content: localeContent.default };
+  return { content };
 };
diff --git a/apps/login-app/src/routes/(app)/+page.svelte b/apps/login-app/src/routes/(app)/+page.svelte
@@ -1,18 +1,20 @@
 <!--
  
- Copyright © 2025 Ping Identity Corporation. All right reserved.
+ Copyright © 2025-2026 Ping Identity Corporation. All right reserved.
  
  This software may be modified and distributed under the terms
  of the MIT license. See the LICENSE file for details.
  
  -->
 
 <script lang="ts">
-  import { Config, FRUser, SessionManager } from '@forgerock/javascript-sdk';
   import { goto } from '$app/navigation';
+  import { browser } from '$app/environment';
   import { page } from '$app/stores';
   import { onMount } from 'svelte';
 
+  import { REDIRECT_FALLBACK } from '$lib/redirect.constants';
+
   import Box from '$components/primitives/box/centered.svelte';
   import Journey from '$journey/journey.svelte';
   import { initialize as initializeJourney } from '$journey/journey.store';
@@ -38,29 +40,39 @@
 
   let name = '';
 
-  async function logout() {
-    const { clientId } = Config.get();
+  // Ensures we only trigger the post-login redirect once
+  // to avoid re-running multiple times as journey/oauth/user stores update.
+  let hasRedirected = false;
 
-    /**
-     * If configuration has a clientId, then use FRUser to logout to ensure
-     * token revoking and removal; else, just end the session.
-     */
-    if (clientId) {
-      // Call SDK logout
-      await FRUser.logout();
-    } else {
-      await SessionManager.logout();
+  async function redirectAfterLogin() {
+    const accessToken = $oauthStore.response?.accessToken;
+
+    if (!accessToken) {
+      window.location.assign(REDIRECT_FALLBACK);
+      return;
     }
 
-    // Reset stores
-    journeyStore.reset();
-    oauthStore.reset();
-    userStore.reset();
-    // Fetch fresh journey step
-    journeyStore.start({
-      tree: journeyParam || authIndexValue || undefined,
-    });
+    try {
+      const response = await fetch('/api/redirect', {
+        method: 'GET',
+        headers: {
+          accept: 'application/json',
+          authorization: `Bearer ${accessToken}`,
+        },
+      });
+
+      if (!response.ok) {
+        window.location.assign(REDIRECT_FALLBACK);
+        return;
+      }
+
+      const body = (await response.json()) as { redirectUri?: string };
+      window.location.assign(body.redirectUri || REDIRECT_FALLBACK);
+    } catch {
+      window.location.assign(REDIRECT_FALLBACK);
+    }
   }
+
   /**
    * Sets up locale store with appropriate content
    */
@@ -87,19 +99,18 @@
       userStore.get();
     }
     name = ($userStore.response as { name: string })?.name;
+
+    if (browser && $userStore?.successful && !hasRedirected) {
+      hasRedirected = true;
+      redirectAfterLogin();
+    }
   }
 </script>
 
 <Box>
   {#if !$userStore.successful}
     <Journey componentStyle="app" displayIcon={true} {journeyStore} />
   {:else}
-    <p class="tw_mb-6">User: {name}</p>
-    <button
-      class="tw_button-base tw_focusable-element dark:tw_focusable-element_dark tw_button-secondary dark:tw_button-secondary_dark"
-      on:click={logout}
-    >
-      Logout
-    </button>
+      <p class="tw_mb-6">{name}, you are being redirected...</p>
   {/if}
 </Box>
diff --git a/apps/login-app/src/routes/api/redirect/+server.ts b/apps/login-app/src/routes/api/redirect/+server.ts
@@ -0,0 +1,84 @@
+/**
+ *
+ * Copyright © 2026 Ping Identity Corporation. All right reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ *
+ **/
+
+// Reference: https://docs.pingidentity.com/pingoneaic/am-authentication/redirection-url-precedence.html
+
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+
+import { AM_DOMAIN_PATH, JSON_REALM_PATH } from '$core/constants';
+import { REDIRECT_FALLBACK, REDIRECT_QUERY_PARAMS } from '$lib/redirect.constants';
+
+async function validateGoto(
+  fetchFn: typeof fetch,
+  authorization: string,
+  gotoUri: string,
+): Promise<string | null> {
+  const response = await fetchFn(`${AM_DOMAIN_PATH}${JSON_REALM_PATH}/users?_action=validateGoto`, {
+    method: 'POST',
+    headers: {
+      'Accept-API-Version': 'protocol=2.1,resource=3.0',
+      'Content-Type': 'application/json',
+      Authorization: authorization,
+    },
+    body: JSON.stringify({ goto: gotoUri }),
+  });
+
+  if (!response.ok) {
+    console.warn('validateGoto failed', {
+      status: response.status,
+      statusText: response.statusText,
+      hasAuthorization: authorization.toLowerCase().startsWith('bearer '),
+    });
+    return null;
+  }
+
+  // AM returns { successURL: string } even when the input goto is invalid
+  // It falls back to the default success URL
+  try {
+    const bodyText = await response.text();
+    const data = JSON.parse(bodyText) as { successURL?: string };
+    if (!data?.successURL) return null;
+
+    // successURL may be absolute or relative (e.g. '/enduser/?realm=/alpha').
+    // Resolve relative URLs against the AM base URL.
+    return new URL(data.successURL, AM_DOMAIN_PATH).href;
+  } catch {
+    return null;
+  }
+}
+
+export const GET: RequestHandler = async ({ cookies, url, request, fetch }) => {
+  const redirectUri = cookies.get(REDIRECT_QUERY_PARAMS);
+
+  const authorization = request.headers.get('authorization') || '';
+
+  if (!redirectUri) {
+    return json({ redirectUri: REDIRECT_FALLBACK }, { status: 400 });
+  }
+
+  if (!authorization) {
+    return json({ redirectUri: REDIRECT_FALLBACK }, { status: 401 });
+  }
+
+  // Cookie value is expected to be an absolute URL (normalized at write time)
+  const validated = await validateGoto(fetch, authorization, redirectUri);
+
+  // Clear cookie after successful validation
+  if (validated) {
+    cookies.delete(REDIRECT_QUERY_PARAMS, {
+      httpOnly: true,
+      sameSite: 'lax',
+      secure: url.protocol === 'https:',
+      path: '/',
+    });
+  }
+
+  return json({ redirectUri: validated ?? REDIRECT_FALLBACK }, { status: validated ? 200 : 400 });
+};
diff --git a/apps/login-app/tsconfig.json b/apps/login-app/tsconfig.json
@@ -2,6 +2,8 @@
   "extends": "./.svelte-kit/tsconfig.json",
   "compilerOptions": {
     "paths": {
+      "$lib": ["./src/lib"],
+      "$lib/*": ["./src/lib/*"],
       "$core": ["../../core"],
       "$core/*": ["../../core/*"],
       "$components": ["../../core/components"],
diff --git a/e2e/tests/login-app/redirect.test.ts b/e2e/tests/login-app/redirect.test.ts
@@ -0,0 +1,42 @@
+/**
+ *
+ * Copyright © 2025 Ping Identity Corporation. All right reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ *
+ **/
+
+import { test, expect } from '@playwright/test';
+import { username, password } from '../utilities/demo-user.js';
+
+test('Successful redirect', async ({ page }) => {
+  await page.goto('/?goto=https://forgerock.github.io/');
+
+  await page.getByLabel('Username').fill(username);
+  await page.getByLabel('Password').fill(password);
+  await page.getByRole('button', { name: 'Next' }).click();
+  await expect(page).toHaveURL('https://forgerock.github.io/');
+});
+
+test('Invalid URL redirects to end user UI', async ({ page }) => {
+  await page.goto('/?goto=https://invalidurl.com');
+
+  await page.getByLabel('Username').fill(username);
+  await page.getByLabel('Password').fill(password);
+  await page.getByRole('button', { name: 'Next' }).click();
+
+  // https://invalidurl.com does not exist in validation service
+  // so it should redirect to end user UI
+  await expect(page).toHaveURL('https://openam-sdks.forgeblocks.com/enduser/?realm=/alpha#/');
+});
+
+test('Empty URL redirects to fallback', async ({ page }) => {
+  await page.goto('/');
+
+  await page.getByLabel('Username').fill(username);
+  await page.getByLabel('Password').fill(password);
+  await page.getByRole('button', { name: 'Next' }).click();
+
+  await expect(page).toHaveURL('https://www.pingidentity.com/en.html');
+});
diff --git a/e2e/tests/utilities/demo-user.js b/e2e/tests/utilities/demo-user.js
@@ -0,0 +1,10 @@
+/*
+ *
+ * Copyright (c) 2026 Ping Identity Corporation. All rights reserved.
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ *
+ */
+export const username = 'JSAmLoginFrameworkE2E@user.com';
+export const password = 'Demo_12345!';
+export const displayName = 'Demo User';
