Private message composition URLs don't work with SSO


(Atul Varma) #1

Hello! Discourse is awesome but I seem to be encountering an odd bug related to Discourse SSO and the Compose a new pre-filled private message via URL functionality.

Here’s what’s going on.

  1. A user is logged into my SSO site at https://example.org. They have not yet visited my Discourse site at https://discourse.example.org, so they don’t have a session established there yet.
  2. While on my SSO site, the user clicks on a link that takes them to https://discourse.example.org/new-message?username=foo. (Assume that foo is a valid user on my Discourse install.)
  3. My Discourse site notices that the user isn’t logged-in and redirects them to my SSO site, which immediately sends them back to my Discourse site.
  4. For a fraction of a second, the URL in the user’s address bar appears to be https://discourse.example.org/new-message, but it then changes to https://discourse.example.org/.
  5. A modal with the text “Sorry, an error has occurred” appears on the Discourse site.

This bug only seems to occur when the user clicks on a private message composition link and isn’t yet logged in to Discourse. Everything works fine if the user already has a Discourse session.

Everything also works fine if the user isn’t yet logged into Discourse and clicks a non-PM-composition link. For example, if the user clicks on a link to a specific topic, Discourse navigates to that topic after the SSO handshake without any problems. It’s only with PM composition links that Discourse appears to “forget” that it was supposed to open a PM composition link to foo after the SSO handshake.

Does this make sense? Is anyone else experiencing the same problem? If this is actually a bug, I’m willing to investigate the issue and submit a PR to fix it.


(Jeff Atwood) #2

Sure, if you’d like to submit a PR that’d be great!


(Sam Saffron) #3

Seems to be working fine now. Closing.


(Sam Saffron) #4