Fix: Preserve OAuth referer through email confirmation flow

[bhatganeshdarshan]

Fix: Preserve OAuth referer through email confirmation flow

Changes

• Store referer in session when user reaches login/signup from OAuth flow
• Pass original OAuth referer to confirmation email instead of transformed welcome path
• Restore referer after email confirmation to redirect back to OAuth authorization page
• Preserve referer when resending confirmation email

Fixes issue where newly created accounts couldn't complete OAuth2 authorization after email confirmation. Users were being redirected to the home page instead of the OAuth authorization page.

Fixes #6699

---

Description

This PR addresses a bug in the OAuth2 authorization flow that affects newly created accounts. When a user creates an account through an OAuth2 client (like StreetComplete) and confirms their email, they should be redirected to the OAuth authorization page to complete the flow. Instead, they were being redirected to the home page, preventing the authorization from completing.

---

Root Cause:

The OAuth referer URL was being lost during the email confirmation process. The referer parameter was either not stored in the session, transformed into a welcome path, or not retrieved after email confirmation.

---

Solution:

This PR modifies three controllers to properly preserve the OAuth referer throughout the entire flow:

• SessionsController: Stores the referer in session when user reaches login page from OAuth flow
• UsersController: Preserves the original referer during signup and passes it to the confirmation email (instead of a transformed welcome path)
• ConfirmationsController: Restores the referer from session after email confirmation and redirects appropriately

The fix ensures that the original OAuth authorization URL is maintained through:

• Login page → Signup page → Email confirmation → OAuth authorization page
• Login page → Resend confirmation → Back to login → OAuth authorization page

---

How has this been tested?

Test Environment:

• Local development instance with Docker
• Created test OAuth2 application with client_id and redirect_uri
• Ruby 3.1, Rails 7.0

---

Test Scenarios:

New account creation through OAuth flow:

• Navigate to /oauth2/authorize?client_id=TEST_CLIENT&response_type=code
• Click "Sign up" from login page
• Create new account with email
• Confirm email via confirmation link
  Verified: User is correctly redirected to OAuth authorization page

Resend confirmation email:

• Navigate to OAuth authorization URL (not logged in)
• Enter a dummy email and click "Resend confirmation email"
• Return to login page
• Log in with existing account
  Verified: User is correctly redirected to OAuth authorization page (previously redirected to home page)

Existing account login :

• Navigate to OAuth authorization URL
• Log in with existing confirmed account
  Verified: Still works correctly, redirects to OAuth authorization page

Non-OAuth signup :

• Navigate directly to /users/new
• Create account without OAuth referer
• Confirm email
  Verified: User is redirected to welcome page as expected

All tests passed successfully with the changes applied.

[mmd-osm]

I'd say, we're already supporting this use case, and a code change is not required. However, since it isn't properly documented, I would focus on improving the documentation instead.

See my comment here: #6699 (comment)

[westnordost]

So, in earlier discussions about this topic (linked in #6699), it was decided that after signup, the "welcome" page should still be shown after signup and before continuing with the authorization.

Does this PR do or allow for that?

[bhatganeshdarshan]

Thanks for the feedback @mmd-osm
After reviewing the flow, I understand that the current OAuth2 behavior is intentional.

I did find a separate issue where the OAuth referer is lost when using “Resend confirmation email”, and I’ve opened a new PR with tests for that: #6714

Is it okay if I close this PR and continue with the more targeted one?

[mmd-osm]

I don't see any issue with that, if it works best for you.