Merge pull request #744 from cakephp/redirect-url-query-param

ADmad · web-flow · commit 86b48f298df3 · 2025-11-06T07:38:04.000+05:30
Set the redirect query param only for GET requests.
diff --git a/src/AuthenticationService.php b/src/AuthenticationService.php
@@ -383,14 +383,20 @@ public function buildIdentity(ArrayAccess|array $identityData): IdentityInterfac
      */
     public function getUnauthenticatedRedirectUrl(ServerRequestInterface $request): ?string
     {
-        $param = $this->getConfig('queryParam');
         $target = $this->getConfig('unauthenticatedRedirect');
         if ($target === null) {
             return null;
         }
+
         if (is_array($target) && class_exists(Router::class)) {
             $target = Router::url($target);
         }
+
+        if ($request->getMethod() !== 'GET') {
+            return $target;
+        }
+
+        $param = $this->getConfig('queryParam');
         if ($param === null) {
             return $target;
         }
diff --git a/tests/TestCase/AuthenticationServiceTest.php b/tests/TestCase/AuthenticationServiceTest.php
@@ -847,6 +847,22 @@ public function testGetUnauthenticatedRedirectUrl()
         );
     }
 
+    public function testGetUnauthenticatedRedirectUrlForPost()
+    {
+        $service = new AuthenticationService();
+        $service->setConfig('unauthenticatedRedirect', '/users/login');
+        $service->setConfig('queryParam', 'redirect');
+
+        $request = ServerRequestFactory::fromGlobals(
+            ['REQUEST_URI' => '/secrets', 'REQUEST_METHOD' => 'POST'],
+        );
+        $this->assertSame(
+            '/users/login',
+            $service->getUnauthenticatedRedirectUrl($request),
+            'Redirect query param should be only set for GET requests',
+        );
+    }
+
     public function testGetUnauthenticatedRedirectUrlAsArray()
     {
         Router::fullBaseUrl('http://localhost');

Original file line number	Diff line number	Diff line change
`@@ -383,14 +383,20 @@ public function buildIdentity(ArrayAccess\|array $identityData): IdentityInterfac`
`383`	`383`	`*/`
`384`	`384`	`public function getUnauthenticatedRedirectUrl(ServerRequestInterface $request): ?string`
`385`	`385`	`{`
`386`		`- $param = $this->getConfig('queryParam');`
`387`	`386`	`$target = $this->getConfig('unauthenticatedRedirect');`
`388`	`387`	`if ($target === null) {`
`389`	`388`	`return null;`
`390`	`389`	`}`
	`390`	`+`
`391`	`391`	`if (is_array($target) && class_exists(Router::class)) {`
`392`	`392`	`$target = Router::url($target);`
`393`	`393`	`}`
	`394`	`+`
	`395`	`+ if ($request->getMethod() !== 'GET') {`
	`396`	`+ return $target;`
	`397`	`+ }`
	`398`	`+`
	`399`	`+ $param = $this->getConfig('queryParam');`
`394`	`400`	`if ($param === null) {`
`395`	`401`	`return $target;`
`396`	`402`	`}`