Issuer urldc is lost after error in 2F flow
Concerned version
Version: %2.0
Platform: (Nginx/Apache/Node.js)
Summary
On a default LLNG install
- Enable CAS
- Enable a 2F provider
Then:
- Go to /cas/login?url=http://somewhere/
- Enter valid credentials
- Enter a wrong 2F code
The portal shows an error message and sends you back to /?cancel=1
- Enter valid credentials again
- Enter a correct 2F code
You end up on the application menu and not on your original CAS service
This only happens with issuers, Handler vhosts are not affected
Cause
This happens because urldc is lost after displaying the error Handler vhosts set the _url in pdata, but issuers don't do this, and I'm not sure why?
Possible fixes
We could set the _url in pdata as soon as we start the issuer flow (in Issuer.pm)
Or, perhaps more conservatively, only when there is an error in 2F (in SecondFactor.pm)