fix: preserve admin targets after SSO denial#1542
Conversation
📝 WalkthroughWalkthroughSSO redirects now preserve admin ChangesSSO redirect target handling
Sequence Diagram(s)sequenceDiagram
participant HS as handle_server()
participant HB as handle_broker()
participant HSent as headers_sent()
participant WPL as wp_login_url()
participant WPR as wp_redirect()
HS->>WPR: redirect broker URL with sso_verify=invalid and redirect_to
HB->>HSent: check before setcookie()
HB->>WPL: build wp-login.php for admin redirect_to
HB->>WPR: redirect to login URL
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🔨 Build Complete - Ready for Testing!📦 Download Build Artifact (Recommended)Download the zip build, upload to WordPress and test:
🌐 Test in WordPress Playground (Very Experimental)Click the link below to instantly test this PR in your browser - no installation needed! Login credentials: |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@tests/WP_Ultimo/SSO/SSO_Coverage_Test.php`:
- Around line 2121-2124: The handle_server() redirect assertion in
SSO_Coverage_Test is too brittle because add_query_arg() encodes query values,
so matching a literal /wp-admin/ may fail even when the redirect target is
correct. Update the test to inspect the redirect_to parameter by parsing
$redirect_url and asserting the decoded redirect target contains /wp-admin/,
using the existing redirect_url assertions in this test method as the place to
adjust.
- Around line 2315-2318: The SSO redirect assertion is brittle because
`wp_login_url()` already encodes `redirect_to` before `add_query_arg()` builds
the final URL. Update the `handle_broker()` test expectation to inspect the
decoded login redirect target instead of matching the raw encoded string, and
keep the existing checks in `SSO_Coverage_Test` focused on the `wp-login.php`
redirect plus the decoded `redirect_to` value.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 5a6f36bb-baaf-4fff-8289-c1bf2d6de0ad
📒 Files selected for processing (3)
inc/sso/class-sso.phptests/WP_Ultimo/SSO/SSO_Coverage_Test.phptests/WP_Ultimo/SSO/SSO_Test.php
| $this->assertNotNull($redirect_url, 'handle_server() must redirect anonymous SSO grant requests back to the broker'); | ||
| $this->assertStringContainsString('sso_verify=invalid', $redirect_url); | ||
| $this->assertStringContainsString('redirect_to=', $redirect_url); | ||
| $this->assertStringContainsString('/wp-admin/', $redirect_url); |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Parse redirect_to instead of matching the encoded URL.
Line 2124 checks for a literal /wp-admin/, but add_query_arg() percent-encodes query values. This test can fail even when the redirect target is preserved correctly.
Suggested fix
$this->assertNotNull($redirect_url, 'handle_server() must redirect anonymous SSO grant requests back to the broker');
$this->assertStringContainsString('sso_verify=invalid', $redirect_url);
- $this->assertStringContainsString('redirect_to=', $redirect_url);
- $this->assertStringContainsString('/wp-admin/', $redirect_url);
+ $query = [];
+ parse_str((string) wp_parse_url($redirect_url, PHP_URL_QUERY), $query);
+
+ $this->assertArrayHasKey('redirect_to', $query);
+ $this->assertSame($redirect_to, $query['redirect_to']);📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| $this->assertNotNull($redirect_url, 'handle_server() must redirect anonymous SSO grant requests back to the broker'); | |
| $this->assertStringContainsString('sso_verify=invalid', $redirect_url); | |
| $this->assertStringContainsString('redirect_to=', $redirect_url); | |
| $this->assertStringContainsString('/wp-admin/', $redirect_url); | |
| $this->assertNotNull($redirect_url, 'handle_server() must redirect anonymous SSO grant requests back to the broker'); | |
| $this->assertStringContainsString('sso_verify=invalid', $redirect_url); | |
| $query = []; | |
| parse_str((string) wp_parse_url($redirect_url, PHP_URL_QUERY), $query); | |
| $this->assertArrayHasKey('redirect_to', $query); | |
| $this->assertSame($redirect_to, $query['redirect_to']); |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@tests/WP_Ultimo/SSO/SSO_Coverage_Test.php` around lines 2121 - 2124, The
handle_server() redirect assertion in SSO_Coverage_Test is too brittle because
add_query_arg() encodes query values, so matching a literal /wp-admin/ may fail
even when the redirect target is correct. Update the test to inspect the
redirect_to parameter by parsing $redirect_url and asserting the decoded
redirect target contains /wp-admin/, using the existing redirect_url assertions
in this test method as the place to adjust.
| $this->assertNotNull($redirect_url, 'handle_broker() must redirect invalid admin SSO requests'); | ||
| $this->assertStringContainsString('wp-login.php', $redirect_url); | ||
| $this->assertStringContainsString(rawurlencode($redirect_to), $redirect_url); | ||
| $this->assertStringNotContainsString($return_url . '?sso_verify=invalid', $redirect_url); |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Decode the login redirect target before asserting it.
wp_login_url() encodes redirect_to before handing it to add_query_arg(), so Line 2317 is brittle against the actual URL shape and can fail on a correct redirect.
Suggested fix
$this->assertNotNull($redirect_url, 'handle_broker() must redirect invalid admin SSO requests');
$this->assertStringContainsString('wp-login.php', $redirect_url);
- $this->assertStringContainsString(rawurlencode($redirect_to), $redirect_url);
+ $query = [];
+ parse_str((string) wp_parse_url($redirect_url, PHP_URL_QUERY), $query);
+
+ $this->assertArrayHasKey('redirect_to', $query);
+ $this->assertSame($redirect_to, urldecode((string) $query['redirect_to']));
$this->assertStringNotContainsString($return_url . '?sso_verify=invalid', $redirect_url);📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| $this->assertNotNull($redirect_url, 'handle_broker() must redirect invalid admin SSO requests'); | |
| $this->assertStringContainsString('wp-login.php', $redirect_url); | |
| $this->assertStringContainsString(rawurlencode($redirect_to), $redirect_url); | |
| $this->assertStringNotContainsString($return_url . '?sso_verify=invalid', $redirect_url); | |
| $this->assertNotNull($redirect_url, 'handle_broker() must redirect invalid admin SSO requests'); | |
| $this->assertStringContainsString('wp-login.php', $redirect_url); | |
| $query = []; | |
| parse_str((string) wp_parse_url($redirect_url, PHP_URL_QUERY), $query); | |
| $this->assertArrayHasKey('redirect_to', $query); | |
| $this->assertSame($redirect_to, urldecode((string) $query['redirect_to'])); | |
| $this->assertStringNotContainsString($return_url . '?sso_verify=invalid', $redirect_url); |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@tests/WP_Ultimo/SSO/SSO_Coverage_Test.php` around lines 2315 - 2318, The SSO
redirect assertion is brittle because `wp_login_url()` already encodes
`redirect_to` before `add_query_arg()` builds the final URL. Update the
`handle_broker()` test expectation to inspect the decoded login redirect target
instead of matching the raw encoded string, and keep the existing checks in
`SSO_Coverage_Test` focused on the `wp-login.php` redirect plus the decoded
`redirect_to` value.
Summary
Verification
aidevops.sh v3.25.0 plugin for OpenCode v1.17.11 with gpt-5.5 spent 36m and 255,862 tokens on this with the user in an interactive session. Merged via PR #1542 to main. |
Summary
redirect_totargets when anonymous SSO grants are denied, so mapped-domain/wp-admin/requests fall back to the login form instead of the site homepage.wp_login_url( redirect_to, true )while keeping public anonymous SSO denials on their original return URL.Verification
/wp-admin/redirected through SSO denial and ended at the subsite homepage before the fix./wp-admin/now redirects towp-login.php?redirect_to=<mapped-subsite>/wp-admin/&reauth=1; login POST returnsLocation: <mapped-subsite>/wp-admin/.vendor/bin/phpcs inc/sso/class-sso.php tests/WP_Ultimo/SSO/SSO_Test.php tests/WP_Ultimo/SSO/SSO_Coverage_Test.phpvendor/bin/phpunit --filter 'WP_Ultimo\\SSO\\SSO_Test|WP_Ultimo\\SSO\\SSO_Coverage_Test'aidevops.sh v3.25.0 plugin for OpenCode v1.17.11 with gpt-5.5 spent 36m and 255,862 tokens on this with the user in an interactive session.
Summary by CodeRabbit
Bug Fixes
Tests