fix: handle redirect param after 2FA login

Author: ccailly

package-lock.json

@@ -101,6 +101,7 @@
         "cypress": "^14.3.2",
         "cypress-axe": "^1.6.0",
         "cypress-network-idle": "^1.15.0",
+        "cypress-otp": "^1.0.3",
         "eslint": "^9.25.1",
         "eslint-plugin-cypress": "^4.3.0",
         "eslint-plugin-mocha": "^11.0.0",

package.json

@@ -1065,7 +1065,15 @@ public function login($login_name, $login_password, $noauto = false, $remember_m
                                 'extauth' => $this->extauth,
                                 'remember_me' => $remember_me,
                             ];
-                            Html::redirect($CFG_GLPI["root_doc"] . '/?mfa=1');
+
+                            $redirect_params = [
+                                'mfa' => 1,
+                            ];
+                            if (isset($_POST['redirect'])) {
+                                $redirect_params['redirect'] = \rawurlencode($_POST['redirect']);
+                            }
+
+                            Html::redirect($CFG_GLPI["root_doc"] . '/?' . http_build_query($redirect_params));
                         } elseif (isset($mfa_params['totp_code']) && !$totp->verifyCodeForUser($mfa_params['totp_code'], $this->user->fields['id'])) {
                             $this->addToError(__('Invalid TOTP code'));
                             $this->auth_succeded = false;

src/Auth.php

@@ -472,7 +472,9 @@ public function getGracePeriodDaysLeft(): int
      */
     public function showTOTPPrompt(int $users_id): void
     {
-        TemplateRenderer::getInstance()->display('pages/2fa/2fa_request.html.twig');
+        TemplateRenderer::getInstance()->display('pages/2fa/2fa_request.html.twig', [
+            'redirect' => $_GET['redirect'] ?? '',
+        ]);
     }
 
     /**

src/Glpi/Security/TOTPManager.php

@@ -40,6 +40,7 @@
 {% block content_block %}
    <form method="post" action="front/login.php" data-submit-once autocomplete="off" class="m-n4" data-code-type="code">
       <input type="hidden" name="_glpi_csrf_token" value="{{ csrf_token() }}" />
+      <input type="hidden" name="redirect" value="{{ redirect }}"/>
       <div>
          {{ tfa.tfa_code_input() }}
          <input type="text" name="backup_code" class="form-control d-none" disabled="disabled" placeholder="{{ __('Backup code') }}"/>

templates/pages/2fa/2fa_request.html.twig

@@ -34,7 +34,8 @@
    <div class="d-flex justify-content-center">
       {% for i in 1..digits %}
          <input type="text" class="form-control text-center {{ i != 1 ? 'ms-2' : '' }} fw-bold" name="totp_code[]"
-             maxlength="1" pattern="[0-9]" inputmode="numeric" required style="width: 2em; font-size: 1.5em">
+             maxlength="1" pattern="[0-9]" inputmode="numeric" required style="width: 2em; font-size: 1.5em"
+             aria-label="{{ __('2FA code digit %s of %s')|format(i, digits) }}">
       {% endfor %}
    </div>
    <script>
@@ -110,7 +111,7 @@
                <div class="mx-auto">
                   <div>
                      <div class="btn-group d-flex">
-                        <input class="form-control" alt="{{ __('Secret') }}" value="{{ secret }}"/>
+                        <input class="form-control" alt="{{ __('2FA secret') }}" value="{{ secret }}" aria-label="{{ __('2FA secret') }}" />
                         <button type="button" class="btn btn-icon flex-grow-0 flex-shrink-0" name="copy_secret" data-clipboard-text="{{ secret }}">
                            <i class="ti ti-clipboard-copy"></i>
                         </button>

templates/pages/2fa/macros.html.twig

@@ -68,7 +68,8 @@ module.exports = defineConfig({
                     // eslint-disable-next-line no-console
                     console.table(message);
                     return null;
-                }
+                },
+                generateOTP: require('cypress-otp')
             });
         },
     },

tests/cypress.config.js

@@ -89,6 +89,56 @@ describe("Session", () => {
         cy.url().should('contains', "/front/ticket.form.php");
     });
 
+    it("redirect to requested page after login with 2FA enabled", () => {
+        // Create a new user
+        const username = `e2e_tests_2fa${Date.now()}`;
+        cy.createWithAPI('User', {
+            'name'        : username,
+            'login'       : username,
+            'password'    : 'glpi',
+            'password2'   : 'glpi',
+            '_profiles_id': 2, // Super-Admin
+        });
+
+        // Login as the new user
+        cy.login(username, 'glpi');
+
+        // Configure 2FA
+        cy.visit('/front/preference.php');
+        cy.findByRole('tab', {'name': 'Two-factor authentication (2FA)'}).click();
+        cy.findByRole('textbox', {'name': '2FA secret'}).invoke('val').then((secret) => {
+            cy.wrap(secret).as('secret');
+            cy.task('generateOTP', secret).then((token) => {
+                cy.findByRole('textbox', {'name': '2FA code digit 1 of 6'}).type(token);
+            });
+        });
+        cy.findByRole('button', {'name': 'Disable 2FA'}).should('exist');
+
+        // Logout
+        cy.findByRole('link', {name: 'User menu'}).click();
+        cy.findByRole('link', {name: 'Logout'}).click();
+
+        cy.visit('/front/ticket.form.php', {
+            failOnStatusCode: false
+        });
+        cy.findByRole('link', {'name': "Log in again"}).click();
+
+        // Login as the new user
+        cy.findByRole('textbox', {'name': "Login"}).type(username);
+        cy.findByLabelText("Password").type('glpi');
+        cy.findByRole('button', {name: "Sign in"}).click();
+
+        // Fill 2FA code
+        cy.get('@secret').then((secret) => {
+            cy.task('generateOTP', secret).then((token) => {
+                cy.findByRole('textbox', {'name': '2FA code digit 1 of 6'}).type(token);
+            });
+        });
+
+        // Should be redirected to requested page
+        cy.url().should('contains', "/front/ticket.form.php");
+    });
+
     it("can change profile", () => {
         // Login and go to any page
         cy.login();