fix: harden cookie-less SSO token redirects#1086
Conversation
When user is already logged in on main site and visits login page with SSO params, redirect them directly to the subsite with a verification token instead of showing 'already logged in' message. - Check for 'sso' param in addition to 'return_url' - Extract return_url from redirect_to query params if present - Handle WP_Error user object in handle_login_redirect
|
Caution Review failedPull request was closed or merged during review 📝 WalkthroughWalkthroughSSO redirect handling now uses a centralized ChangesSSO Redirect Logic
Sequence DiagramsequenceDiagram
actor User
participant Client as Browser/<br>Client
participant SSO as SSO Handler
participant Auth as WordPress<br>Auth
participant Helper as get_sso_redirect_to()
User->>Client: Visit cross-domain resource<br/>(return_url + redirect_to)
Client->>SSO: Request with return_url param
alt User logged in on main site
SSO->>Helper: get_sso_redirect_to(return_url)
Helper-->>SSO: Resolved redirect_to<br/>(cross-domain aware)
SSO->>Client: Redirect to login with<br/>redirect_to param
else User not logged in
SSO->>Auth: Build login URL
Auth-->>SSO: Login URL ready
SSO->>Client: Redirect to login
end
Client->>Auth: Submit credentials
Auth->>SSO: handle_login_redirect()
SSO->>Helper: Compute redirect_to
Helper-->>SSO: Final redirect_to value
SSO->>Client: Return cookie-less token URL<br/>+ redirect_to param
Client->>SSO: Consume token via<br/>redirect_to destination
SSO->>User: Redirect to intended<br/>destination (admin, etc)
Estimated Code Review Effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly Related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
DISPATCH_CLAIM nonce=c97c6395a5a24215946ab950ab65f8cd runner=superdav42 ts=2026-05-04T21:02:16Z max_age_s=1800 version=3.14.51 opencode_version=1.14.33 |
|
Dispatching worker (deterministic).
|
|
Maintainer review needed: this PR is Reason: Options:
This comment is posted once per cooldown window (1800s) so the sweep stays quiet. Triggered by aidevops.sh v3.14.51 automated scan. |
a63d2fc to
dd49ae3
Compare
|
CLAIM_RELEASED reason=clean runner=dave ts=2026-05-04T21:10:17Z aidevops_version=3.14.51 opencode_version=1.14.33 exit=0 session_count=1 |
|
DISPATCH_CLAIM nonce=2831b9c002a64964bcfcc8521add0f69 runner=superdav42 ts=2026-05-04T21:10:54Z max_age_s=1800 version=3.14.51 opencode_version=1.14.33 |
|
Dispatching worker (deterministic).
|
|
CLAIM_RELEASED reason=clean runner=dave ts=2026-05-04T21:16:03Z aidevops_version=3.14.51 opencode_version=1.14.33 exit=0 session_count=1 |
|
ORPHAN_REATTACHED reason=pulse_restart worker_pid=1192512 ts=2026-05-04T21:18:14Z Worker PID 1192512 survived a previous pulse-wrapper.sh restart. It has been reattached to the new pulse instance's dispatch ledger and will continue under normal watchdog supervision. No action needed. |
|
DISPATCH_CLAIM nonce=5117614f0a1df4c723b1772b0db7a1f8 runner=superdav42 ts=2026-05-04T21:21:07Z max_age_s=1800 version=3.14.51 opencode_version=1.14.33 |
|
Dispatching worker (deterministic).
|
|
CLAIM_RELEASED reason=clean runner=dave ts=2026-05-04T21:26:21Z aidevops_version=3.14.51 opencode_version=1.14.33 exit=0 session_count=1 |
|
ORPHAN_REATTACHED reason=pulse_restart worker_pid=1263562 ts=2026-05-04T21:28:36Z Worker PID 1263562 survived a previous pulse-wrapper.sh restart. It has been reattached to the new pulse instance's dispatch ledger and will continue under normal watchdog supervision. No action needed. |
|
DISPATCH_CLAIM nonce=aa6e37b2cb867e8b17b6b2bb096d9226 runner=superdav42 ts=2026-05-04T21:31:12Z max_age_s=1800 version=3.14.51 opencode_version=1.14.33 |
|
Dispatching worker (deterministic).
|
|
CLAIM_RELEASED reason=clean runner=dave ts=2026-05-04T21:36:55Z aidevops_version=3.14.51 opencode_version=1.14.33 exit=0 session_count=1 |
Resolves conflicts with #1088 which landed an overlapping cookie-less SSO hardening on main. Kept this branch's redirect_to wiring and the get_sso_redirect_to() helper so the originally requested admin URL survives the cross-domain bounce instead of always landing on /wp-admin/. Conflicts: - inc/sso/class-sso.php (5 conflict regions, all in cookie-less SSO logic)
Conflict resolutionRebased/merged What I kept from this branch (vs. main / #1088)This branch retains a small but functional delta over
The reason this matters: Verification
Reviewer questionGiven #1088 already shipped the core hardening (HMAC + aidevops.sh v3.14.51 plugin for OpenCode v1.14.33 with claude-sonnet-4-6 spent 16h 48m on this as a headless worker. |
|
ORPHAN_REATTACHED reason=pulse_restart worker_pid=1329002 ts=2026-05-04T21:39:13Z Worker PID 1329002 survived a previous pulse-wrapper.sh restart. It has been reattached to the new pulse instance's dispatch ledger and will continue under normal watchdog supervision. No action needed. |
🔨 Build Complete - Ready for Testing!📦 Download Build Artifact (Recommended)Download the zip build, upload to WordPress and test:
🌐 Test in WordPress Playground (Very Experimental)Click the link below to instantly test this PR in your browser - no installation needed! Login credentials: |
|
Performance Test Results Performance test results for c749156 are in 🛎️! Note: the numbers in parentheses show the difference to the previous (baseline) test run. Differences below 2% or 0.5 in absolute values are not shown. URL:
|
|
Worker failed: orphan worktree detected (crash_type=no_work, 0 commits). Cleared for re-dispatch. aidevops.sh v3.14.52 automated scan. |
Summary
/login/pages viatemplate_redirect, preserves direct cross-domainredirect_toadmin URLs, and decorates cross-domain redirects withwu_sso_token.jtitransients.Verification
php -l inc/sso/class-sso.phpcd site && composer dump-autoload --optimize --no-scriptsvidanuevanaz.organd confirmedHTTP/2 302to/wp/wp-admin/with WordPress auth cookies set for.vidanuevanaz.org.Notes
Browser-agent navigation to the local TLS domains currently fails with
net::ERR_SSL_PROTOCOL_ERROReven after launching a custom headless Chrome with Caddy CA trust and host resolver rules. Curl verifies the TLS endpoints and token flow locally.aidevops.sh v3.14.51 plugin for OpenCode v1.14.33 with claude-sonnet-4-6 spent 16h 4m on this as a headless worker.
Summary by CodeRabbit
Release Notes