From 55930eb99c02e4d3f9cefa06e56e4113f5ceeb4b Mon Sep 17 00:00:00 2001
From: Ioannis Igoumenos <ioigoume@gmail.com>
Date: Mon, 13 Oct 2025 18:41:10 +0300
Subject: [PATCH] =?UTF-8?q?Redirect=20to=20service=20URL=20without=20ticke?=
 =?UTF-8?q?t=20when=20no=20SSO=20and=20non=E2=80=91interactive=20auth=20fa?=
 =?UTF-8?q?ils?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/Controller/LoginController.php | 42 ++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/src/Controller/LoginController.php b/src/Controller/LoginController.php
index 2b7c4f8..49297c9 100644
--- a/src/Controller/LoginController.php
+++ b/src/Controller/LoginController.php
@@ -164,6 +164,20 @@ public function login(
         // This will be used to come back from the AuthSource login or from the Processing Chain
         $returnToUrl = $this->getReturnUrl($request, $sessionTicket);
 
+        /*
+         * CAS gateway behavior:
+         * If gateway=true, service is valid, and the user is not authenticated,
+         * redirect immediately to the service URL with NO query parameters or fragment.
+         */
+        if ($gateway === true && $serviceUrl !== null && !$this->authSource->isAuthenticated()) {
+            $cleanServiceUrl = $this->stripQueryParameters($serviceUrl);
+            return new RunnableResponse(
+                [$this->httpUtils, 'redirectTrustedURL'],
+                [$cleanServiceUrl]
+            );
+        }
+
+
         // Authenticate
         if (
             $requestForceAuthenticate || !$this->authSource->isAuthenticated()
@@ -464,4 +478,32 @@ private function instantiateClassDependencies(): void
         // Attribute Extractor
         $this->attributeExtractor = new AttributeExtractor($this->casConfig, $processingChainFactory);
     }
+
+    /**
+     * Remove query string from a URL while preserving scheme, userinfo, host, port, path and fragment.
+     *
+     * @param string $url
+     * @return string
+     */
+    private function stripQueryParameters(string $url): string
+    {
+        $parts = parse_url($url);
+
+        $scheme   = $parts['scheme'] ?? '';
+        $host     = $parts['host'] ?? '';
+        $port     = isset($parts['port']) ? ':' . $parts['port'] : '';
+        $user     = $parts['user'] ?? null;
+        $pass     = $parts['pass'] ?? null;
+        $userInfo = $user ? $user . ($pass ? ':' . $pass : '') . '@' : '';
+        $path     = $parts['path'] ?? '';
+        $fragment = isset($parts['fragment']) ? '#' . $parts['fragment'] : '';
+
+        // Ensure root path is preserved if it was "/"
+        if ($path === '' && (($parts['path'] ?? '') === '/')) {
+            $path = '/';
+        }
+
+        return sprintf('%s://%s%s%s%s%s', $scheme, $userInfo, $host, $port, $path, $fragment);
+    }
+
 }