Support redirecting to page according to query after authenticated (#6736)

#### What type of PR is this? /kind improvement /area core /milestone 2.20.0 #### What this PR does / why we need it: This PR supports query `redirect_uri` to control where to redirect after authenticated. #### Which issue(s) this PR fixes: Fixes https://github.com/halo-dev/halo/issues/6720 #### Special notes for your reviewer: Every step below needs you logging out. 1. Try to request <http://localhost:8090/console/login?redirect_uri=/xxx 2. Try to request <http://localhost:8090/login?redirect_uri=/xxx 3. Try to request <http://localhost:8090/console/posts #### Does this PR introduce a user-facing change? ```release-note None ```
2024-09-30 18:37:52 +08:00 · 2024-09-30 18:37:52 +08:00 · db65dd3b3a
parent 8a9b954969
commit db65dd3b3a
11 changed files with 241 additions and 27 deletions
--- a/application/src/main/java/run/halo/app/infra/config/WebServerSecurityConfig.java
+++ b/application/src/main/java/run/halo/app/infra/config/WebServerSecurityConfig.java
@ -22,6 +22,7 @@ import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.security.web.server.context.ServerSecurityContextRepository;
 import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
+import org.springframework.security.web.server.savedrequest.ServerRequestCache;
 import org.springframework.security.web.server.util.matcher.AndServerWebExchangeMatcher;
 import org.springframework.security.web.server.util.matcher.MediaTypeServerWebExchangeMatcher;
 import org.springframework.security.web.server.util.matcher.NegatedServerWebExchangeMatcher;
@ -36,6 +37,7 @@ import run.halo.app.extension.ReactiveExtensionClient;
 import run.halo.app.infra.AnonymousUserConst;
 import run.halo.app.infra.properties.HaloProperties;
 import run.halo.app.security.DefaultUserDetailService;
+import run.halo.app.security.HaloServerRequestCache;
 import run.halo.app.security.authentication.CryptoService;
 import run.halo.app.security.authentication.SecurityConfigurer;
 import run.halo.app.security.authentication.impl.RsaKeyService;
@ -64,7 +66,8 @@ public class WebServerSecurityConfig {
        ServerSecurityContextRepository securityContextRepository,
        ReactiveExtensionClient client,
        CryptoService cryptoService,
-        HaloProperties haloProperties) {
+        HaloProperties haloProperties,
+        ServerRequestCache serverRequestCache) {

        var pathMatcher = pathMatchers("/**");
        var staticResourcesMatcher = pathMatchers(HttpMethod.GET,
@ -134,7 +137,8 @@ public class WebServerSecurityConfig {
                    haloProperties.getSecurity().getReferrerOptions().getPolicy())
                )
                .hsts(hstsSpec -> hstsSpec.includeSubdomains(false))
-            );
+            )
+            .requestCache(spec -> spec.requestCache(serverRequestCache));

        // Integrate with other configurers separately
        securityConfigurers.orderedStream()
@ -142,6 +146,11 @@ public class WebServerSecurityConfig {
        return http.build();
    }

+    @Bean
+    ServerRequestCache serverRequestCache() {
+        return new HaloServerRequestCache();
+    }
+
    @Bean
    ServerSecurityContextRepository securityContextRepository() {
        return new WebSessionServerSecurityContextRepository();
--- a/application/src/main/java/run/halo/app/plugin/SharedApplicationContextFactory.java
+++ b/application/src/main/java/run/halo/app/plugin/SharedApplicationContextFactory.java
@ -5,6 +5,7 @@ import org.springframework.cache.CacheManager;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.support.GenericApplicationContext;
 import org.springframework.security.web.server.context.ServerSecurityContextRepository;
+import org.springframework.security.web.server.savedrequest.ServerRequestCache;
 import run.halo.app.content.PostContentService;
 import run.halo.app.core.extension.service.AttachmentService;
 import run.halo.app.extension.DefaultSchemeManager;
@ -79,6 +80,12 @@ public enum SharedApplicationContextFactory {
            .ifUnique(rateLimiterRegistry ->
                beanFactory.registerSingleton("rateLimiterRegistry", rateLimiterRegistry)
            );
+
+        // Authentication plugins may need this RequestCache to handle successful login redirect
+        rootContext.getBeanProvider(ServerRequestCache.class)
+            .ifUnique(serverRequestCache ->
+                beanFactory.registerSingleton("serverRequestCache", serverRequestCache)
+            );
        // TODO add more shared instance here

        sharedContext.refresh();
--- a/application/src/main/java/run/halo/app/security/DefaultServerAuthenticationEntryPoint.java
+++ b/application/src/main/java/run/halo/app/security/DefaultServerAuthenticationEntryPoint.java
@ -5,6 +5,7 @@ import org.springframework.http.HttpStatus;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
 import org.springframework.security.web.server.authentication.RedirectServerAuthenticationEntryPoint;
+import org.springframework.security.web.server.savedrequest.ServerRequestCache;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher.MatchResult;
 import org.springframework.web.server.ServerWebExchange;
@ -30,9 +31,11 @@ public class DefaultServerAuthenticationEntryPoint implements ServerAuthenticati

    private final RedirectServerAuthenticationEntryPoint redirectEntryPoint;

-    public DefaultServerAuthenticationEntryPoint() {
-        this.redirectEntryPoint =
+    public DefaultServerAuthenticationEntryPoint(ServerRequestCache serverRequestCache) {
+        var entryPoint =
            new RedirectServerAuthenticationEntryPoint("/login?authentication_required");
+        entryPoint.setRequestCache(serverRequestCache);
+        this.redirectEntryPoint = entryPoint;
    }

    @Override
@ -40,7 +43,7 @@ public class DefaultServerAuthenticationEntryPoint implements ServerAuthenticati
        return xhrMatcher.matches(exchange)
            .filter(MatchResult::isMatch)
            .switchIfEmpty(
-                Mono.defer(() -> this.redirectEntryPoint.commence(exchange, ex)).then(Mono.empty())
+                Mono.defer(() -> this.redirectEntryPoint.commence(exchange, ex).then(Mono.empty()))
            )
            .flatMap(match -> Mono.defer(
                () -> {
--- a/application/src/main/java/run/halo/app/security/ExceptionSecurityConfigurer.java
+++ b/application/src/main/java/run/halo/app/security/ExceptionSecurityConfigurer.java
@ -10,6 +10,7 @@ import org.springframework.security.web.server.DelegatingServerAuthenticationEnt
 import org.springframework.security.web.server.authentication.AuthenticationConverterServerWebExchangeMatcher;
 import org.springframework.security.web.server.authorization.HttpStatusServerAccessDeniedHandler;
 import org.springframework.security.web.server.authorization.ServerWebExchangeDelegatingServerAccessDeniedHandler;
+import org.springframework.security.web.server.savedrequest.ServerRequestCache;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
 import org.springframework.stereotype.Component;
@ -24,10 +25,14 @@ public class ExceptionSecurityConfigurer implements SecurityConfigurer {

    private final ServerResponse.Context context;

+    private final ServerRequestCache serverRequestCache;
+
    public ExceptionSecurityConfigurer(MessageSource messageSource,
-        ServerResponse.Context context) {
+        ServerResponse.Context context,
+        ServerRequestCache serverRequestCache) {
        this.messageSource = messageSource;
        this.context = context;
+        this.serverRequestCache = serverRequestCache;
    }

    @Override
@ -59,7 +64,7 @@ public class ExceptionSecurityConfigurer implements SecurityConfigurer {
            ));
            entryPoints.add(new DelegatingServerAuthenticationEntryPoint.DelegateEntry(
                exchange -> ServerWebExchangeMatcher.MatchResult.match(),
-                new DefaultServerAuthenticationEntryPoint()
+                new DefaultServerAuthenticationEntryPoint(serverRequestCache)
            ));

            exception.authenticationEntryPoint(
--- a/application/src/main/java/run/halo/app/security/HaloServerRequestCache.java
+++ b/application/src/main/java/run/halo/app/security/HaloServerRequestCache.java
@ -0,0 +1,86 @@
+package run.halo.app.security;
+
+import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers;
+
+import java.net.URI;
+import java.util.Collections;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.MediaType;
+import org.springframework.http.server.RequestPath;
+import org.springframework.http.server.reactive.ServerHttpRequest;
+import org.springframework.security.web.server.savedrequest.WebSessionServerRequestCache;
+import org.springframework.security.web.server.util.matcher.AndServerWebExchangeMatcher;
+import org.springframework.security.web.server.util.matcher.MediaTypeServerWebExchangeMatcher;
+import org.springframework.security.web.server.util.matcher.NegatedServerWebExchangeMatcher;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebSession;
+import reactor.core.publisher.Mono;
+
+/**
+ * Halo server request cache implementation for saving redirect URI from query.
+ *
+ * @author johnniang
+ */
+public class HaloServerRequestCache extends WebSessionServerRequestCache {
+
+    /**
+     * Currently, we have no idea to customize the sessionAttributeName in
+     * WebSessionServerRequestCache, so we have to copy the attr into here.
+     */
+    private static final String DEFAULT_SAVED_REQUEST_ATTR = "SPRING_SECURITY_SAVED_REQUEST";
+
+    private static final String REDIRECT_URI_QUERY = "redirect_uri";
+
+    private final String sessionAttrName = DEFAULT_SAVED_REQUEST_ATTR;
+
+    public HaloServerRequestCache() {
+        super();
+        setSaveRequestMatcher(createDefaultRequestMatcher());
+    }
+
+    @Override
+    public Mono<Void> saveRequest(ServerWebExchange exchange) {
+        var redirectUriQuery = exchange.getRequest().getQueryParams().getFirst(REDIRECT_URI_QUERY);
+        if (StringUtils.isNotBlank(redirectUriQuery)) {
+            var redirectUri = URI.create(redirectUriQuery);
+            return saveRedirectUri(exchange, redirectUri);
+        }
+        return super.saveRequest(exchange);
+    }
+
+    @Override
+    public Mono<URI> getRedirectUri(ServerWebExchange exchange) {
+        return super.getRedirectUri(exchange);
+    }
+
+    @Override
+    public Mono<ServerHttpRequest> removeMatchingRequest(ServerWebExchange exchange) {
+        return super.removeMatchingRequest(exchange);
+    }
+
+    private Mono<Void> saveRedirectUri(ServerWebExchange exchange, URI redirectUri) {
+        var requestPath = exchange.getRequest().getPath();
+        var redirectPath = RequestPath.parse(redirectUri, requestPath.contextPath().value());
+        var query = redirectUri.getRawQuery();
+        var finalRedirect =
+            redirectPath.pathWithinApplication() + (query == null ? "" : "?" + query);
+        return exchange.getSession()
+            .map(WebSession::getAttributes)
+            .doOnNext(attributes -> attributes.put(this.sessionAttrName, finalRedirect))
+            .then();
+    }
+
+    private static ServerWebExchangeMatcher createDefaultRequestMatcher() {
+        var get = pathMatchers(HttpMethod.GET, "/**");
+        var notFavicon = new NegatedServerWebExchangeMatcher(
+            pathMatchers(
+                "/favicon.*", "/login/**", "/signup/**", "/password-reset/**", "/challenges/**"
+            ));
+        var html = new MediaTypeServerWebExchangeMatcher(MediaType.TEXT_HTML);
+        html.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));
+        return new AndServerWebExchangeMatcher(get, notFavicon, html);
+    }
+
+}
--- a/application/src/main/java/run/halo/app/security/authentication/twofactor/TotpAuthenticationSuccessHandler.java
+++ b/application/src/main/java/run/halo/app/security/authentication/twofactor/TotpAuthenticationSuccessHandler.java
@ -5,6 +5,7 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.web.server.WebFilterExchange;
 import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
 import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
+import org.springframework.security.web.server.savedrequest.ServerRequestCache;
 import reactor.core.publisher.Mono;
 import run.halo.app.security.LoginHandlerEnhancer;

@ -13,11 +14,14 @@ public class TotpAuthenticationSuccessHandler implements ServerAuthenticationSuc

    private final LoginHandlerEnhancer loginEnhancer;

-    private final ServerAuthenticationSuccessHandler successHandler =
-        new RedirectServerAuthenticationSuccessHandler("/uc");
+    private final ServerAuthenticationSuccessHandler successHandler;

-    public TotpAuthenticationSuccessHandler(LoginHandlerEnhancer loginEnhancer) {
+    public TotpAuthenticationSuccessHandler(LoginHandlerEnhancer loginEnhancer,
+        ServerRequestCache serverRequestCache) {
        this.loginEnhancer = loginEnhancer;
+        var successHandler = new RedirectServerAuthenticationSuccessHandler("/uc");
+        successHandler.setRequestCache(serverRequestCache);
+        this.successHandler = successHandler;
    }

    @Override
--- a/application/src/main/java/run/halo/app/security/authentication/twofactor/TwoFactorAuthSecurityConfigurer.java
+++ b/application/src/main/java/run/halo/app/security/authentication/twofactor/TwoFactorAuthSecurityConfigurer.java
@ -8,6 +8,7 @@ import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
 import org.springframework.security.web.server.authentication.RedirectServerAuthenticationFailureHandler;
 import org.springframework.security.web.server.context.ServerSecurityContextRepository;
+import org.springframework.security.web.server.savedrequest.ServerRequestCache;
 import org.springframework.stereotype.Component;
 import run.halo.app.security.LoginHandlerEnhancer;
 import run.halo.app.security.authentication.SecurityConfigurer;
@ -24,13 +25,17 @@ public class TwoFactorAuthSecurityConfigurer implements SecurityConfigurer {

    private final LoginHandlerEnhancer loginHandlerEnhancer;

+    private final ServerRequestCache serverRequestCache;
+
    public TwoFactorAuthSecurityConfigurer(
        ServerSecurityContextRepository securityContextRepository,
-        TotpAuthService totpAuthService, LoginHandlerEnhancer loginHandlerEnhancer
+        TotpAuthService totpAuthService, LoginHandlerEnhancer loginHandlerEnhancer,
+        ServerRequestCache serverRequestCache
    ) {
        this.securityContextRepository = securityContextRepository;
        this.totpAuthService = totpAuthService;
        this.loginHandlerEnhancer = loginHandlerEnhancer;
+        this.serverRequestCache = serverRequestCache;
    }

    @Override
@ -43,7 +48,7 @@ public class TwoFactorAuthSecurityConfigurer implements SecurityConfigurer {
        filter.setSecurityContextRepository(securityContextRepository);
        filter.setServerAuthenticationConverter(new TotpCodeAuthenticationConverter());
        filter.setAuthenticationSuccessHandler(
-            new TotpAuthenticationSuccessHandler(loginHandlerEnhancer)
+            new TotpAuthenticationSuccessHandler(loginHandlerEnhancer, serverRequestCache)
        );
        filter.setAuthenticationFailureHandler(
            new RedirectServerAuthenticationFailureHandler("/challenges/two-factor/totp?error")
--- a/application/src/main/java/run/halo/app/security/authentication/twofactor/TwoFactorAuthenticationEntryPoint.java
+++ b/application/src/main/java/run/halo/app/security/authentication/twofactor/TwoFactorAuthenticationEntryPoint.java
@ -3,8 +3,9 @@ package run.halo.app.security.authentication.twofactor;
 import java.net.URI;
 import org.springframework.context.MessageSource;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.server.DefaultServerRedirectStrategy;
 import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
-import org.springframework.security.web.server.authentication.RedirectServerAuthenticationEntryPoint;
+import org.springframework.security.web.server.ServerRedirectStrategy;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
 import org.springframework.web.reactive.function.server.ServerResponse;
 import org.springframework.web.server.ServerWebExchange;
@ -18,10 +19,13 @@ public class TwoFactorAuthenticationEntryPoint implements ServerAuthenticationEn
        .flatMap(a -> ServerWebExchangeMatcher.MatchResult.match())
        .switchIfEmpty(ServerWebExchangeMatcher.MatchResult.notMatch());

-    private static final String REDIRECT_LOCATION = "/challenges/two-factor/totp";
+    private static final URI REDIRECT_LOCATION = URI.create("/challenges/two-factor/totp");

-    private final RedirectServerAuthenticationEntryPoint redirectEntryPoint =
-        new RedirectServerAuthenticationEntryPoint(REDIRECT_LOCATION);
+    /**
+     * Because we don't want to cache the request before redirecting to the 2FA page,
+     * ServerRedirectStrategy is used to redirect the request.
+     */
+    private final ServerRedirectStrategy redirectStrategy = new DefaultServerRedirectStrategy();

    private final MessageSource messageSource;

@ -45,10 +49,12 @@ public class TwoFactorAuthenticationEntryPoint implements ServerAuthenticationEn
    public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException ex) {
        return XHR_MATCHER.matches(exchange)
            .filter(ServerWebExchangeMatcher.MatchResult::isMatch)
-            .switchIfEmpty(redirectEntryPoint.commence(exchange, ex).then(Mono.empty()))
+            .switchIfEmpty(
+                redirectStrategy.sendRedirect(exchange, REDIRECT_LOCATION).then(Mono.empty())
+            )
            .flatMap(isXhr -> {
                var errorResponse = Exceptions.createErrorResponse(
-                    new TwoFactorAuthRequiredException(URI.create(REDIRECT_LOCATION)),
+                    new TwoFactorAuthRequiredException(REDIRECT_LOCATION),
                    null, exchange, messageSource);
                return ServerResponse.status(errorResponse.getStatusCode())
                    .bodyValue(errorResponse.getBody())
--- a/application/src/main/java/run/halo/app/security/preauth/PreAuthLoginEndpoint.java
+++ b/application/src/main/java/run/halo/app/security/preauth/PreAuthLoginEndpoint.java
@ -8,6 +8,7 @@ import java.util.Objects;
 import java.util.Optional;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.context.annotation.Bean;
+import org.springframework.security.web.server.savedrequest.ServerRequestCache;
 import org.springframework.stereotype.Component;
 import org.springframework.web.reactive.function.server.RouterFunction;
 import org.springframework.web.reactive.function.server.RouterFunctions;
@ -18,6 +19,7 @@ import run.halo.app.core.extension.AuthProvider;
 import run.halo.app.infra.actuator.GlobalInfoService;
 import run.halo.app.plugin.PluginConst;
 import run.halo.app.security.AuthProviderService;
+import run.halo.app.security.HaloServerRequestCache;
 import run.halo.app.security.authentication.CryptoService;

 /**
@ -35,6 +37,8 @@ class PreAuthLoginEndpoint {

    private final AuthProviderService authProviderService;

+    private final ServerRequestCache serverRequestCache = new HaloServerRequestCache();
+
    PreAuthLoginEndpoint(CryptoService cryptoService, GlobalInfoService globalInfoService,
        AuthProviderService authProviderService) {
        this.cryptoService = cryptoService;
@ -46,6 +50,7 @@ class PreAuthLoginEndpoint {
    RouterFunction<ServerResponse> preAuthLoginEndpoints() {
        return RouterFunctions.nest(path("/login"), RouterFunctions.route()
            .GET("", request -> {
+                // TODO get redirect URI and cache it
                var exchange = request.exchange();
                var contextPath = exchange.getRequest().getPath().contextPath().value();
                var publicKey = cryptoService.readPublicKey()
@ -78,7 +83,8 @@ class PreAuthLoginEndpoint {
                    .filter(ap -> !Objects.equals(loginMethod, ap.getMetadata().getName()))
                    .cache();

-                return ServerResponse.ok().render("login", Map.of(
+                return serverRequestCache.saveRequest(exchange).then(Mono.defer(() ->
+                    ServerResponse.ok().render("login", Map.of(
                        "action", contextPath + "/login",
                        "publicKey", publicKey,
                        "globalInfo", globalInfo,
@ -87,6 +93,7 @@ class PreAuthLoginEndpoint {
                        "socialAuthProviders", socialAuthProviders,
                        "formAuthProviders", formAuthProviders
                        // TODO Add more models here
+                    ))
                ));
            })
            .build());
--- a/application/src/test/java/run/halo/app/security/DefaultServerAuthenticationEntryPointTest.java
+++ b/application/src/test/java/run/halo/app/security/DefaultServerAuthenticationEntryPointTest.java
@ -7,15 +7,22 @@ import java.net.URI;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Mockito;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
 import org.springframework.mock.web.server.MockServerWebExchange;
 import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
+import org.springframework.security.web.server.savedrequest.ServerRequestCache;
+import reactor.core.publisher.Mono;
 import reactor.test.StepVerifier;

@ExtendWith(MockitoExtension.class)
 class DefaultServerAuthenticationEntryPointTest {

+    @Mock
+    ServerRequestCache requestCache;
+
    @InjectMocks
    DefaultServerAuthenticationEntryPoint entryPoint;

@ -40,6 +47,7 @@ class DefaultServerAuthenticationEntryPointTest {
            .build();
        var mockExchange = MockServerWebExchange.builder(mockReq)
            .build();
+        Mockito.when(requestCache.saveRequest(mockExchange)).thenReturn(Mono.empty());
        var commenceMono = entryPoint.commence(mockExchange,
            new AuthenticationCredentialsNotFoundException("Not Found"));
        StepVerifier.create(commenceMono)
--- a/application/src/test/java/run/halo/app/security/HaloServerRequestCacheTest.java
+++ b/application/src/test/java/run/halo/app/security/HaloServerRequestCacheTest.java
@ -0,0 +1,74 @@
+package run.halo.app.security;
+
+import java.net.URI;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.http.MediaType;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.mock.web.server.MockServerWebExchange;
+import org.springframework.web.server.session.DefaultWebSessionManager;
+import reactor.core.publisher.Mono;
+import reactor.test.StepVerifier;
+
+class HaloServerRequestCacheTest {
+
+    HaloServerRequestCache requestCache;
+
+    @BeforeEach
+    void setUp() {
+        requestCache = new HaloServerRequestCache();
+    }
+
+    @Test
+    void shouldNotSaveIfPageNotCacheable() {
+        var mockExchange =
+            MockServerWebExchange.from(MockServerHttpRequest.get("/login"));
+        requestCache.saveRequest(mockExchange)
+            .then(requestCache.getRedirectUri(mockExchange))
+            .as(StepVerifier::create)
+            .verifyComplete();
+    }
+
+    @Test
+    void shouldSaveIfPageCacheable() {
+        var mockExchange = MockServerWebExchange.from(
+            MockServerHttpRequest.get("/archives").accept(MediaType.TEXT_HTML)
+        );
+        requestCache.saveRequest(mockExchange)
+            .then(requestCache.getRedirectUri(mockExchange))
+            .as(StepVerifier::create)
+            .expectNext(URI.create("/archives"))
+            .verifyComplete();
+    }
+
+    @Test
+    void shouldSaveIfQueryPresent() {
+        var mockExchange =
+            MockServerWebExchange.from(MockServerHttpRequest.get("/login?redirect_uri=/halo?q=v"));
+        requestCache.saveRequest(mockExchange)
+            .then(requestCache.getRedirectUri(mockExchange))
+            .as(StepVerifier::create)
+            .expectNext(URI.create("/halo?q=v"));
+    }
+
+    @Test
+    void shouldRemoveIfRedirectUriFound() {
+        var sessionManager = new DefaultWebSessionManager();
+        var mockExchange =
+            MockServerWebExchange.builder(MockServerHttpRequest.get("/login?redirect_uri=/halo"))
+                .sessionManager(sessionManager)
+                .build();
+        var removeExchange = mockExchange.mutate()
+            .request(builder -> builder.uri(URI.create("/halo")))
+            .build();
+        requestCache.saveRequest(mockExchange)
+            .then(Mono.defer(() -> requestCache.removeMatchingRequest(removeExchange)))
+            .as(StepVerifier::create)
+            .assertNext(request -> {
+                Assertions.assertEquals(URI.create("/halo"), request.getURI());
+            })
+            .verifyComplete();
+    }
+
+}