--- loncom/auth/lonauth.pm	2018/11/10 10:53:01	1.155
+++ loncom/auth/lonauth.pm	2018/12/26 20:10:21	1.156
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # User Authentication Module
 #
-# $Id: lonauth.pm,v 1.155 2018/11/10 10:53:01 raeburn Exp $
+# $Id: lonauth.pm,v 1.156 2018/12/26 20:10:21 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -304,6 +304,13 @@ sub failed {
             $retry .= (($retry=~/\?/)?'&':'?').'firsturl='.$firsturl;
         }
     }
+    if (exists($form->{linkprot})) {
+        my $ltoken = &Apache::lonnet::tmpput({linkprot => $form->{'linkprot'}},
+                                             $r->dir_config('lonHostID'));
+        if ($ltoken) {
+            $retry .= (($retry =~ /\?/) ? '&' : '?').'ltoken='.$ltoken;
+        }
+    }
     my $end_page = &Apache::loncommon::end_page();
     &Apache::loncommon::content_type($r,'text/html');
     $r->send_http_header;
@@ -438,7 +445,7 @@ sub handler {
         return OK;
     }
 
-    my ($key,$firsturl,$rolestr,$symbstr,$iptokenstr)=split(/&/,$tmpinfo);
+    my ($key,$firsturl,$rolestr,$symbstr,$iptokenstr,$linkprotstr)=split(/&/,$tmpinfo);
     if ($rolestr) {
         $rolestr = &unescape($rolestr);
     }
@@ -448,6 +455,9 @@ sub handler {
     if ($iptokenstr) {
         $iptokenstr = &unescape($iptokenstr);
     }
+    if ($linkprotstr) {
+        $linkprotstr = &unescape($linkprotstr);
+    }
     if ($firsturl =~ m{^/tiny/$match_domain/\w+$}) {
         $form{'firsturl'} = $firsturl;
     }
@@ -460,6 +470,9 @@ sub handler {
     if ($iptokenstr =~ /^iptoken=/) {
         (undef,$form{'iptoken'}) = split('=',$iptokenstr);
     }
+    if ($linkprotstr =~ /^linkprot=/) {
+        (undef,$form{'linkprot'}) = split('=',$linkprotstr);
+    }
 
     my $upass = $ENV{HTTPS} ? $form{'upass0'} 
         : &Apache::loncommon::des_decrypt($key,$form{'upass0'});
@@ -632,7 +645,7 @@ sub handler {
                      \%form);
             my $switchto = '/adm/switchserver?otherserver='.$otherserver;
             if (($firsturl) && ($firsturl ne '/adm/switchserver') && ($firsturl ne '/adm/roles')) {
-                $switchto .= '&origurl='.$firsturl;
+                $switchto .= '&origurl='.$firsturl; #should escape
             }
             if ($form{'role'}) {
                 $switchto .= '&role='.$form{'role'};
@@ -640,6 +653,9 @@ sub handler {
             if ($form{'symb'}) {
                 $switchto .= '&symb='.$form{'symb'};
             }
+            if ($form{'linkprot'}) {
+                $env{'request.linkprot'} = $form{'linkprot'};
+            }
             $r->internal_redirect($switchto);
         } else {
             $r->print(&noswitch());
@@ -653,7 +669,7 @@ sub handler {
                          \%form);
                 my $switchto = '/adm/switchserver?otherserver='.$otherserver;
                 if (($firsturl) && ($firsturl ne '/adm/switchserver') && ($firsturl ne '/adm/roles')) {
-                    $switchto .= '&origurl='.$firsturl;
+                    $switchto .= '&origurl='.$firsturl; #should escape
                 }
                 if ($form{'role'}) {
                     $switchto .= '&role='.$form{'role'};
@@ -661,6 +677,9 @@ sub handler {
                 if ($form{'symb'}) {
                     $switchto .= '&symb='.$form{'symb'};
                 }
+                if ($form{'linkprot'}) {
+                    $env{'request.linkprot'} = $form{'linkprot'};
+                }
                 $r->internal_redirect($switchto);
             } else {
                 $r->print(&noswitch());
@@ -690,6 +709,9 @@ sub handler {
             if ($unloaded) {
                 &success($r,$form{'uname'},$form{'udom'},$authhost,'noredirect',
                          undef,\%form);
+                if ($form{'linkprot'}) {
+                    $env{'request.linkprot'} = $form{'linkprot'};
+                }
                 $r->internal_redirect('/adm/switchserver?otherserver='.$unloaded.'&origurl='.$firsturl);
                 return OK;
             }
@@ -697,7 +719,15 @@ sub handler {
         if (($is_balancer) && ($hosthere)) {
             $form{'noloadbalance'} = $hosthere;
         }
-        &success($r,$form{'uname'},$form{'udom'},$authhost,$firsturl,undef,
+        my $extra_env;
+        if ($form{'linkprot'}) {
+            my ($linkprotector,$uri) = split(/:/,$form{'linkprot'},2);
+            if ($linkprotector) {
+                $extra_env = {'user.linkprotector' => $linkprotector,
+                              'user.linkproturi'   => $uri,};
+            }
+        }
+        &success($r,$form{'uname'},$form{'udom'},$authhost,$firsturl,$extra_env,
                  \%form);
         return OK;
     }
@@ -744,6 +774,7 @@ sub check_can_host {
                 my $protocol = $Apache::lonnet::protocol{$login_host};
                 $protocol = 'http' if ($protocol ne 'https');
                 my $newurl = $protocol.'://'.$hostname.'/adm/createaccount';
+#FIXME Should preserve where user was going and linkprot by setting ltoken at $login_host
                 $r->print(&Apache::loncommon::start_page('Create a user account in LON-CAPA').
                           '<h3>'.&mt('Account creation').'</h3>'.
                           &mt('You do not currently have a LON-CAPA account at this institution.').'<br />'.
@@ -760,6 +791,9 @@ sub check_can_host {
         } else {
             &success($r,$form->{'uname'},$udom,$authhost,'noredirect',undef,
                      $form);
+            if ($form->{'linkprot'}) {
+                $env{'request.linkprot'} = $form->{'linkprot'};
+            }
             my ($otherserver) = &Apache::lonnet::choose_server($udom);
             $r->internal_redirect('/adm/switchserver?otherserver='.$otherserver);
         }