feat: restrict redirectUrls for CAS login (#2118)

* feat: support cas restricted login

* feat: add cas login i18n

* feat: add CheckCasService for all cas api

* feat: gofumpt

* feat: replace 404

* feat: reuse i18n

* feat: delete CheckCasService

* Update token_cas.go

* Update LoginPage.js

* Update token_cas.go

---------

Co-authored-by: hsluoyz <hsluoyz@qq.com>

controllers/organization.go

@@ -183,6 +183,8 @@ func (c *ApiController) DeleteOrganization() {
 func (c *ApiController) GetDefaultApplication() {
 	userId := c.GetSessionUsername()
 	id := c.Input().Get("id")
+	redirectUri := c.Input().Get("redirectUri")
+	typ := c.Input().Get("type")
 
 	application, err := object.GetDefaultApplication(id)
 	if err != nil {
@@ -190,6 +192,14 @@ func (c *ApiController) GetDefaultApplication() {
 		return
 	}
 
+	if typ == "cas" {
+		err = object.CheckCasRestrict(application, c.GetAcceptLanguage(), redirectUri)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	}
+
 	maskedApplication := object.GetMaskedApplication(application, userId)
 	c.ResponseOk(maskedApplication)
 }

object/token_cas.go

@@ -26,6 +26,7 @@ import (
 	"time"
 
 	"github.com/beevik/etree"
+	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/util"
 	dsig "github.com/russellhaering/goxmldsig"
 )
@@ -122,6 +123,13 @@ var stToServiceResponse sync.Map
 // pgt is short for proxy granting ticket
 var pgtToServiceResponse sync.Map
 
+func CheckCasRestrict(application *Application, lang string, service string) error {
+	if len(application.RedirectUris) > 0 && !application.IsRedirectUriValid(service) {
+		return fmt.Errorf(i18n.Translate(lang, "token:Redirect URI: %s doesn't exist in the allowed Redirect URI list"), service)
+	}
+	return nil
+}
+
 func StoreCasTokenForPgt(token *CasAuthenticationSuccess, service, userId string) string {
 	pgt := fmt.Sprintf("PGT-%s", util.GenerateId())
 	pgtToServiceResponse.Store(pgt, &CasAuthenticationSuccessWrapper{

web/src/auth/LoginPage.js

@@ -173,7 +173,12 @@ class LoginPage extends React.Component {
           this.onUpdateApplication(res.data);
         });
     } else {
-      OrganizationBackend.getDefaultApplication("admin", this.state.owner)
+      let redirectUri = "";
+      if (this.state.type === "cas") {
+        const casParams = Util.getCasParameters();
+        redirectUri = casParams.service;
+      }
+      OrganizationBackend.getDefaultApplication("admin", this.state.owner, this.state.type, redirectUri)
         .then((res) => {
           if (res.status === "ok") {
             const application = res.data;
@@ -183,9 +188,9 @@ class LoginPage extends React.Component {
             });
           } else {
             this.onUpdateApplication(null);
-            Setting.showMessage("error", res.msg);
+            this.setState({
-
+              msg: res.msg,
-            this.props.history.push("/404");
+            });
           }
         });
     }

web/src/backend/OrganizationBackend.js

@@ -70,8 +70,8 @@ export function deleteOrganization(organization) {
   }).then(res => res.json());
 }
 
-export function getDefaultApplication(owner, name) {
+export function getDefaultApplication(owner, name, type = "", redirectUri = "") {
-  return fetch(`${Setting.ServerUrl}/api/get-default-application?id=${owner}/${encodeURIComponent(name)}`, {
+  return fetch(`${Setting.ServerUrl}/api/get-default-application?id=${owner}/${encodeURIComponent(name)}&type=${type}&redirectUri=${redirectUri}`, {
     method: "GET",
     credentials: "include",
     headers: {