From 2541e9d1ebb7f88a67268d154605513f458f6fe7 Mon Sep 17 00:00:00 2001
From: WithoutPants <53250216+WithoutPants@users.noreply.github.com>
Date: Tue, 25 Mar 2025 10:26:31 +1100
Subject: [PATCH] Refactor login page to not include in history (#5747)

---
 internal/api/session.go | 13 ++++---------
 ui/login/login.html     | 30 ++++++++++++++++++++++++++++--
 2 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/internal/api/session.go b/internal/api/session.go
index af31faab5..716f11eb3 100644
--- a/internal/api/session.go
+++ b/internal/api/session.go
@@ -78,11 +78,6 @@ func handleLogin() http.HandlerFunc {
 
 func handleLoginPost() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		url := r.FormValue(returnURLParam)
-		if url == "" {
-			url = getProxyPrefix(r) + "/"
-		}
-
 		err := manager.GetInstance().SessionStore.Login(w, r)
 		if err != nil {
 			// always log the error
@@ -92,17 +87,17 @@ func handleLoginPost() http.HandlerFunc {
 		var invalidCredentialsError *session.InvalidCredentialsError
 
 		if errors.As(err, &invalidCredentialsError) {
-			// serve login page with an error
-			serveLoginPage(w, r, url, "Username or password is invalid")
+			http.Error(w, "Username or password is invalid", http.StatusUnauthorized)
 			return
 		}
 
 		if err != nil {
-			http.Error(w, err.Error(), http.StatusInternalServerError)
+			// don't expose the error to the user
+			http.Error(w, "An unexpected error occurred. See logs", http.StatusInternalServerError)
 			return
 		}
 
-		http.Redirect(w, r, url, http.StatusFound)
+		w.WriteHeader(http.StatusOK)
 	}
 }
 
diff --git a/ui/login/login.html b/ui/login/login.html
index 39882e0da..dce06a905 100644
--- a/ui/login/login.html
+++ b/ui/login/login.html
@@ -10,11 +10,37 @@
     <link rel="stylesheet" href="login/login.css">
     <link rel="stylesheet" href="css">
 </head>
+
+<script>
+    function login() {
+        var username = document.getElementById("username").value;
+        var password = document.getElementById("password").value;
+        var returnURL = document.getElementById("returnURL").value;
+
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "login", true);
+        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+        xhr.onreadystatechange = function() {
+            if (xhr.readyState == 4) {
+                if (xhr.status == 200) {
+                    window.location.replace(returnURL);
+                } else {
+                    document.getElementsByClassName("login-error")[0].innerHTML = xhr.responseText;
+                }
+            }
+        };
+        xhr.onerror = function() {
+            document.getElementsByClassName("login-error")[0].innerHTML = "An error occurred while trying to login.";
+        };
+        xhr.send("username=" + username + "&password=" + password + "&returnURL=" + returnURL);
+    }
+</script>
+
 <body class="login">
 
     <div class="dialog">
         <div class="card">
-            <form action="login" method="POST">
+            <form action="login" method="POST" onsubmit="event.preventDefault(); login();">
                 <div class="form-group">
                     <label for="username"><h6>Username</h6></label>
                     <input class="text-input form-control" id="username" name="username" type="text" placeholder="Username" />
@@ -27,7 +53,7 @@
                     {{.Error}}
                 </div>
 
-                <input type="hidden" name="returnURL" value="{{.URL}}" />
+                <input type="hidden" id="returnURL" name="returnURL" value="{{.URL}}" />
 
                 <div>
                     <input class="btn btn-primary" type="submit" value="Login">