public IntegratedAuthenticationModule(ILog log, IAuthCookieCreator tokenIssuer, IApiActionResponseCreator responseCreator, IWebPortalConfigurationStore webPortalConfigurationStore) { Get[DirectoryServicesConstants.ChallengePath] = c => { if (Context.CurrentUser == null) { return(responseCreator.Unauthorized(Request)); } var principal = (IOctopusPrincipal)Context.CurrentUser; var tokenCookie = tokenIssuer.CreateAuthCookie(Context, principal.IdentificationToken, false); var directoryPathResult = Request.AbsoluteVirtualDirectoryPath(); if (!directoryPathResult.IsValid) { return(responseCreator.BadRequest(directoryPathResult.InvalidReason)); } var whitelist = webPortalConfigurationStore.GetTrustedRedirectUrls(); Response response; if (Request.Query["redirectTo"].HasValue && Requests.IsLocalUrl(directoryPathResult.Path, Request.Query["redirectTo"].Value, whitelist)) { var redirectLocation = Request.Query["redirectTo"].Value; response = new RedirectResponse(redirectLocation).WithCookie(tokenCookie); } else { log.WarnFormat("Prevented potential Open Redirection attack on an NTLM challenge from the local instance {0} to the non-local url {1}", directoryPathResult.Path, Request.Query["redirectTo"].Value); response = new RedirectResponse(directoryPathResult.Path ?? "/").WithCookie(tokenCookie); } return(response); }; }