Skip to content

fix: redirect when login URL is modified by third-party plugins during Google OneTap login #306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mi5t4n wants to merge 3 commits into
base: develop
Choose a base branch
from
+10 −2
Open

fix: redirect when login URL is modified by third-party plugins during Google OneTap login #306

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4733156
refactor: use the helper function to retrieve the redirect url during…
mi5t4n Jan 14, 2026
d0f5699
fix: redirect not working when login url is modified by third party p…
mi5t4n Jan 14, 2026
7438260
removed unnecessary import
mi5t4n Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/Modules/OneTapLogin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ public function validate_token(): void {
*/
do_action( 'rtcamp.id_token_verified' );

$redirect_to = apply_filters( 'rtcamp.google_default_redirect', admin_url() );
$redirect_to = Helper::get_redirect_url();
$state = Helper::filter_input( INPUT_POST, 'state', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
$decoded_state = $state ? (array) ( json_decode( base64_decode( $state ) ) ) : null; // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode

Expand Down
10 changes: 9 additions & 1 deletion src/Utils/Helper.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,15 @@ public static function get_redirect_url(): string {
// Initializing the default with admin URL.
$default_redirect_url = admin_url();

if ( 'wp-login.php' === $pagenow ) {
$wp_login_url = trailingslashit( wp_login_url() );
Copy link

Copilot AI Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new URL detection logic for custom login URLs lacks test coverage. Given that the repository has comprehensive tests for other utility functions (GoogleClient, TokenVerifier, Authenticator), this new functionality should have corresponding unit tests to verify the URL comparison works correctly with various custom login URL scenarios.

Copilot uses AI. Check for mistakes.

// Get the current page URL.
$scheme = ( ! empty( $_SERVER['HTTPS'] ) && 'off' !== $_SERVER['HTTPS'] ) ? 'https' : 'http';
$host = isset( $_SERVER['HTTP_HOST'] ) ? sanitize_text_field( $_SERVER['HTTP_HOST'] ) : wp_parse_url( site_url(), PHP_URL_HOST );
Comment on lines +221 to +222
Copy link

Copilot AI Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The $_SERVER['HTTPS'] variable should be sanitized before use. While the value is only compared, it's a best practice to sanitize superglobal inputs. Use filter_input(INPUT_SERVER, 'HTTPS', FILTER_SANITIZE_FULL_SPECIAL_CHARS) or similar.

Copilot uses AI. Check for mistakes.
$path = isset( $_SERVER['REQUEST_URI'] ) ? wp_parse_url( sanitize_text_field( $_SERVER['REQUEST_URI'] ), PHP_URL_PATH ) : '';
Comment on lines +222 to +223
Copy link

Copilot AI Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sanitizing before parsing can alter the URL structure. The order should be reversed: parse first using wp_parse_url(), then sanitize the extracted components. This ensures URL parsing works correctly before sanitization.

Copilot uses AI. Check for mistakes.
Comment on lines +221 to +223
Copy link

Copilot AI Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WordPress provides is_ssl() function for HTTPS detection which is more reliable than checking $_SERVER['HTTPS'] directly. Consider using $scheme = is_ssl() ? 'https' : 'http'; instead.

Copilot uses AI. Check for mistakes.
$current_page_url = trailingslashit( $scheme . '://' . $host . $path );
Copy link

Copilot AI Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The URL construction omits the query string from REQUEST_URI. When a user visits the custom login URL with ?redirect_to=..., the query string is stripped by wp_parse_url(..., PHP_URL_PATH), causing the comparison on line 226 to always fail when query parameters are present. This defeats the purpose of the fix.

Copilot uses AI. Check for mistakes.

if ( 'wp-login.php' === $pagenow || $current_page_url === $wp_login_url ) {
// If any redirect_to query parameter is available.
$redirect_to = filter_input( INPUT_GET, 'redirect_to', FILTER_SANITIZE_URL );

Expand Down