How to remove query string from visible URL in Ring?

Screenshot_uri

My app uses Central Authentication Service (CAS) to login to the app. For those unfamiliar, this means I have a Ring middleware that redirects visitors to the server page where they login, and are then bounced back to my site with some added information, including a “?ticket=AKJF2390JKl” type string in the URL. This string is the problem; by now they are already logged in, so this means there is a time I no longer need that ticket number. However, I’m having trouble figuring out how and when to remove that string. I have various middlewares set up to look at the request so far, and I can locate two places that string appears in the request map (that’s [:params :ticket] and [:query-string]), but dissocing those two keys doesn’t change what URL the page gets in the end (e.g. “http://mysite.com/?ticket=blahblah”). Not only is this unsightly, but it results in refresh failing on the page because the ticket is one-time use (though refresh works fine when you remove the ticket string altogether after they’ve logged in, as by that point it’s cookie-powered).

So, if I can remove an end-result query string by disocing from the request map with my middleware, my question is this:

  1. What do I need to dissoc in order to see a change in the end-user URL?
  2. When in the middle-ware cycle do I need to perform this dissoc?

If dissoc isn’t the answer, what is?

What is your app code using in the Ring request that it sees the URL with that in it?

I suspect it’s checking :uri directly (why?) so your middleware to dissoc from :params and modify :query-string is also going to need to modify :uri so you’ll probably need to do some regex replacement (and be careful you don’t turn :uri into an invalid string!).

You may also need to dissoc from :query-params (which is where URL parameters end up, as well as in :params depending on the middleware your app is using).

I’m running reitit.ring as my middleware framework, with the handler serving to check :query-params and :session for the portion that actually uses that information. It’s not clear to me what actually generates the uri string, though, as I don’t see anything explicitly mentioning :headers.

You can’t “modify” the URL on the server. It is a reflection in the browser of the URL that was sent to the server. You can only redirect the user.

So if you have some flow of requests like:

GET /home --sign-in--> POST /login --success-redirect--> /success?ticket=AKJF2390JKI

Then you could have one more redirect at the end:

GET /success?ticket=AKJF2390JKI --redirect--> GET /success
1 Like

Perfect; this explains what I’ve often seen. Somehow I got tricked into thinking there was another way.