fix(session): preserve intended URL across session timeout with remember-me

Session timeout redirected to /de/login?return_to=... but the remember-me
cookie was not cleared by logoutDueToSessionTimeout(). On the next request,
autoLoginFromCookie() silently re-logged the user in, causing the MintyPHP
router to resolve the login route to pages/index().php (dashboard) instead
of the login action — the intended URL redirect logic never executed.

Fix: intercept ?return_to= immediately after successful auto-login in
index.php and redirect to the sanitized route path. Also harden the login
flow with hidden return_to form fields and POST body fallback for cases
without remember-me.

Additional improvements in this commit:
- Convert stored REQUEST_URI to router-compatible path (strip leading
  slash and locale prefix) via IntendedUrlService::toRoutePath()
- Consolidate duplicate CSRF data attributes into shared data-csrf-key
  and data-csrf-token on <html> element
- Add tenant branding (logo) to auth pages via appAuthLogoUrl() helper

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-13 18:28:13 +01:00
parent add5cca222
commit e1c211069e
10 changed files with 115 additions and 14 deletions

View File

@@ -47,12 +47,22 @@ class IntendedUrlService
/**
* Retrieve the intended URL and remove it from the session.
* Returns the fallback ('admin') if no valid URL is stored.
*
* The stored URL is a full REQUEST_URI (e.g. /de/admin/users?page=2)
* but Router::redirect() expects a route path without leading slash
* and without locale prefix (e.g. admin/users?page=2), because it
* prepends getBaseUrl() which already includes the base path.
*/
public function retrieveAndForget(SessionStoreInterface $session): string
{
$value = $this->retrieve($session);
$session->remove(self::SESSION_KEY);
return $value ?? self::FALLBACK;
if ($value === null) {
return self::FALLBACK;
}
return $this->toRoutePath($value);
}
/**
@@ -103,6 +113,25 @@ class IntendedUrlService
return $url;
}
/**
* Convert a full REQUEST_URI into a Router::redirect()-compatible route path.
*
* /de/admin/users?page=2 → admin/users?page=2
* /admin/users → admin/users
*/
public function toRoutePath(string $url): string
{
// Remove leading slash
$path = ltrim($url, '/');
// Remove locale prefix (2-letter code followed by /)
if (preg_match('#^[a-z]{2}/#', $path)) {
$path = substr($path, 3);
}
return $path !== '' ? $path : self::FALLBACK;
}
/**
* Extract the path portion without query string and without locale prefix.
*/

View File

@@ -450,6 +450,24 @@ function appLogoUrl(?int $size = null): string
return asset('brand/logo.svg');
}
/**
* Resolve logo for auth pages: tenant avatar → global logo → default SVG.
*
* After logout the tenant context (`$_SESSION['current_tenant']`) is preserved,
* so the login page can show the tenant avatar instead of the generic app logo.
*/
function appAuthLogoUrl(?int $size = null): string
{
$tenantUuid = $_SESSION['current_tenant']['uuid'] ?? '';
if ($tenantUuid !== '' && class_exists('MintyPHP\\Service\\Tenant\\TenantAvatarService')) {
if (app(\MintyPHP\Service\Tenant\TenantAvatarService::class)->hasAvatar($tenantUuid)) {
$query = $size ? '&size=' . (int) $size : '';
return lurl('auth/tenant-avatar-file?uuid=' . rawurlencode($tenantUuid) . $query);
}
}
return appLogoUrl($size);
}
/**
* Resolve favicon path (tenant favicon with global fallback).
*/