CakeDC Users plugin returns full request URL instead of just path part

Question

CakeDC Users plugin returns full request URL instead of just path part

TerryKern opened this issue 2 years ago · 0 comments

CakePHP: 4.x (in upgrade process from 3.x)
CakeDC/Users plugin: 9.3.1 (in upgrade process from 8.5.x)

We noticed during out upgrading that the behaviour of the login redirect has changed.
Before, with CakePHP 3.x, the login redirect URL contained only the path part of the requested URL.
With CakePHP 4.x and the new Users plugin, it returns the full request URL.

CakePHP 3.x: /login?redirect=%2Fcontroller-name%2Faction-name%2F1
CakePHP 4.x: /login?redirect=http%3A%2F%2Flocalhost%2Fcontroller-name%2Faction-name%2F1

Is there a particular reason for this behaviour change?
Also, it seems the redirect handlers of CakePHP Authorization plugin behave differently (like before).
If not, could the behaviour be adjusted to CakePHP's behaviour?

CakeDC/Users plugin redirect handler returns the full URL as login redirect query parameter
https://github.com/CakeDC/users/blame/11.1.0/src/Middleware/UnauthorizedHandler/DefaultRedirectHandler.php#L81

Before, CakeDC/Users plugin used CakePHP Authorization plugin's CakeRedirect handler
ed009e9#diff-edbb01d537d2d3f2f3c4988703da9866d7065bcf689034316f75a9f1a1f10707L202

Both CakePHP Authorization plugin redirect handlers return only the path (and query parameters) as login redirect query parameter
https://github.com/cakephp/authorization/blob/90c3a6556d2263b4a1970dfad8110ba06fba197f/src/Middleware/UnauthorizedHandler/RedirectHandler.php#L103-L107
https://github.com/cakephp/authorization/blob/90c3a6556d2263b4a1970dfad8110ba06fba197f/src/Middleware/UnauthorizedHandler/CakeRedirectHandler.php#L71-L75

The CakePHP Authorization plugin redirect handlers changed their behaviour in the following commit:
cakephp/authorization@1569b7c