Allow auth plugins to redirect to external url (#7179)

* Allow auth plugins to redirect to external url

Add a new optional field to `RegisterServerExternalAuthenticatedResult`,
the object passed to the `userAuthenticated` callback used by auth plugins.

The server code uses this to redirect to an external website if it is set.

Left TODO:

- This code has been tested manually but a test case is still missing.
- Here or in the plugin, the redirect urls must be limited to values configurable by admins.

* rename to URI for consistency

* add test for the new parameter

* address review comments

- correct syntax for optional parameter
- handle the case where `externalAuthToken` has query parameters included

server/core/lib/auth/external-auth.ts

@@ -45,7 +45,7 @@ async function onExternalUserAuthenticated (options: {
     return
   }
 
-  const { res } = authResult
+  const { res, externalRedirectUri } = authResult
 
   if (!isAuthResultValid(npmName, authName, authResult)) {
     res.redirect('/login?externalAuthError=true')
@@ -76,7 +76,14 @@ async function onExternalUserAuthenticated (options: {
     }
   }
 
-  res.redirect(`/login?externalAuthToken=${bypassToken}&username=${user.username}`)
+  if (externalRedirectUri) {
+    const url = new URL(externalRedirectUri)
+    url.searchParams.set('externalAuthToken', bypassToken)
+    url.searchParams.set('username', user.username)
+    res.redirect(url.href)
+  } else {
+    res.redirect(`/login?externalAuthToken=${bypassToken}&username=${user.username}`)
+  }
 }
 
 async function getAuthNameFromRefreshGrant (refreshToken?: string) {