From 648f6215efc03e05ffee0b1eddfe15b37587e976 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Thu, 3 Dec 2020 17:20:03 -0500
Subject: [PATCH] fix: redirect external with absolute urls

---
 src/controllers/helpers.js | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/src/controllers/helpers.js b/src/controllers/helpers.js
index bd561ab169..0c34f9cbbb 100644
--- a/src/controllers/helpers.js
+++ b/src/controllers/helpers.js
@@ -145,24 +145,31 @@ helpers.notAllowed = async function (req, res, error) {
 };
 
 helpers.redirect = function (res, url, permanent) {
-	let redirectUrl;
 	// this is used by sso plugins to redirect to the auth route
+	// { external: '/auth/sso' } or { external: 'https://domain/auth/sso' }
 	if (url.hasOwnProperty('external')) {
-		redirectUrl = res.local.isAPI ? relative_path + url.external : url.external;
-		url.external = encodeURI(redirectUrl);
-	} else {
-		redirectUrl = url;
-		url = encodeURI(url);
+		const redirectUrl = encodeURI(prependRelativePath(url.external));
+		if (res.locals.isAPI) {
+			res.set('X-Redirect', redirectUrl).status(200).json({ external: redirectUrl });
+		} else {
+			res.redirect(permanent ? 308 : 307, redirectUrl);
+		}
+		return;
 	}
+
 	if (res.locals.isAPI) {
-		res.set('X-Redirect', encodeURI(redirectUrl)).status(200).json(url);
+		url = encodeURI(url);
+		res.set('X-Redirect', url).status(200).json(url);
 	} else {
-		redirectUrl = redirectUrl.startsWith('http://') || redirectUrl.startsWith('https://') ?
-			redirectUrl : relative_path + redirectUrl;
-		res.redirect(permanent ? 308 : 307, encodeURI(redirectUrl));
+		res.redirect(permanent ? 308 : 307, encodeURI(prependRelativePath(url)));
 	}
 };
 
+function prependRelativePath(url) {
+	return url.startsWith('http://') || url.startsWith('https://') ?
+		url : relative_path + url;
+}
+
 helpers.buildCategoryBreadcrumbs = async function (cid) {
 	const breadcrumbs = [];