Skip to content

Fix dashboard URL in aspire describe to use returnUrl instead of path concat#15337

Closed
adamint wants to merge 2 commits intomicrosoft:release/13.2from
adamint:dev/adamint/fix-dashboard-url-15171
Closed

Fix dashboard URL in aspire describe to use returnUrl instead of path concat#15337
adamint wants to merge 2 commits intomicrosoft:release/13.2from
adamint:dev/adamint/fix-dashboard-url-15171

Conversation

@adamint
Copy link
Member

@adamint adamint commented Mar 17, 2026

Description

Fix malformed dashboard URLs in aspire describe output.

The dashboardBaseUrl passed to ResourceSnapshotMapper is a login URL with a token (e.g., https://host/login?t=TOKEN). CombineUrl naively appended the resource path with /, producing malformed URLs:

https://host/login?t=TOKEN/?resource=name   ← broken

This PR uses AddReturnUrl instead, which properly appends a returnUrl query parameter so the dashboard redirects after login:

https://host/login?t=TOKEN&returnUrl=%2F%3Fresource%3Dname   ← correct

Re @JamesNK's comment: agreed that not every URL needs to go through /login. However, dashboardBaseUrl in this code path is always the BaseUrlWithLoginToken from DashboardUrlsHelper — the base URL without the token isn't surfaced separately to the resource mapper. Since the dashboardUrl per resource is the only URL consumers get (e.g., from aspire describe --format json), we keep it as a full login URL with returnUrl so it works as a single click-through link. Consumers that want the plain dashboard base URL can strip the /login?... portion themselves.

Fixes #15171

Checklist

  • Is this feature complete?
    • Yes. Ready to ship.
    • No. Follow-up changes expected.
  • Are you including unit tests for the changes and scenario tests if relevant?
    • Yes
    • No
  • Did you add public API?
    • Yes
      • If yes, did you have an API Review for it?
        • Yes
        • No
      • Did you add <remarks /> and <code /> elements on your triple slash comments?
        • Yes
        • No
    • No
  • Does the change make any security assumptions or guarantees?
    • Yes
      • If yes, have you done a threat model and had a security review?
        • Yes
        • No
    • No
  • Does the change require an update in our Aspire docs?

adamint added 2 commits March 17, 2026 19:21
@adamint
Fix dashboard URL construction in aspire describe
f28254c 
The dashboardBaseUrl passed to ResourceSnapshotMapper is a login URL
with a token (e.g., https://host/login?t=TOKEN). CombineUrl naively
appended the resource path with '/', producing malformed URLs like:
  https://host/login\?t\=TOKEN/\?resource\=name

Use AddReturnUrl instead, which properly appends a returnUrl query
parameter so the dashboard redirects after login:
  https://host/login\?t\=TOKEN\&returnUrl\=%2F%3Fresource%3Dname

Fixes microsoft#15171
@adamint
Add tests for dashboard URL returnUrl format and null base URL
d80ffd5
Copilot AI review requested due to automatic review settings March 17, 2026 23:23
@github-actions
Copy link
Contributor

github-actions bot commented Mar 17, 2026

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 15337

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 15337"

@adamint adamint self-assigned this Mar 17, 2026
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes generation of per-resource dashboard links in the Aspire CLI when the provided dashboard URL is actually a login URL that already contains query parameters (e.g., .../login?t=TOKEN), by appending the resource destination via a returnUrl query parameter instead of path concatenation.

Changes:

  • Update CLI resource mapping to build dashboard links using returnUrl on the login URL (avoids malformed ...login?t=TOKEN/?resource=... links).
  • Add DashboardUrls.AddReturnUrl() helper to append returnUrl to an existing URL with query parameters.
  • Expand/adjust unit tests to validate correct dashboard URL construction and null handling.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
tests/Aspire.Cli.Tests/Backchannel/ResourceSnapshotMapperTests.cs Updates/extends tests to assert dashboard URLs use returnUrl and avoid malformed concatenation.
src/Shared/DashboardUrls.cs Adds AddReturnUrl() helper that appends a returnUrl query parameter to an existing URL.
src/Aspire.Cli/Backchannel/ResourceSnapshotMapper.cs Switches dashboard URL construction from CombineUrl() to AddReturnUrl() for login URLs with tokens.

You can also share your feedback on Copilot code review. Take the survey.

tests/Aspire.Cli.Tests/Backchannel/ResourceSnapshotMapperTests.cs
Comment on lines +77 to +82
// Must NOT produce the old malformed URL: .../login?t=TOKEN/?resource=name
Assert.DoesNotContain("?t=e3dad6d7140e583d/", result.DashboardUrl);

// Must use &returnUrl= with the resource path URL-encoded
Assert.StartsWith("https://host:16323/login?t=e3dad6d7140e583d&returnUrl=", result.DashboardUrl);
}
@JamesNK
Copy link
Member

JamesNK commented Mar 17, 2026

aspire describe shouldn't have the token in the URL. I think the bug here is the path/querystring isn't being stripped from the base URL.

@adamint
Copy link
Member Author

adamint commented Mar 17, 2026
edited
Loading

aspire describe shouldn't have the token in the URL. I think the bug here is the path/querystring isn't being stripped from the base URL.

The base URL isn't included anywhere else in the resource JSON. Should we then add a separate field dashboardBaseUrl?

@github-actions github-actions bot mentioned this pull request Mar 18, 2026
Open
@JamesNK
Copy link
Member

JamesNK commented Mar 18, 2026

The dashboard URL is provided when the app starts.

I don't want the dashboard token in URLs for each resource or piece of telemetry that dashboard links to. Maybe that will change in the future, but not for now.

JamesNK
JamesNK requested changes Mar 18, 2026
View reviewed changes
src/Aspire.Cli/Backchannel/ResourceSnapshotMapper.cs
Comment on lines 125 to +126
var resourcePath = DashboardUrls.ResourcesUrl(snapshot.Name);
dashboardUrl = DashboardUrls.CombineUrl(dashboardBaseUrl, resourcePath);
dashboardUrl = DashboardUrls.AddReturnUrl(dashboardBaseUrl, resourcePath);
Copy link
Member

@JamesNK JamesNK Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should take the scheme, host, port from dashboardBaseUrl, and combine it with resourcePath.

@dotnet-policy-service dotnet-policy-service bot added the needs-author-action An issue or pull request that requires more info or actions from the author. label Mar 18, 2026
This was referenced Mar 18, 2026
Closed
Closed
Closed
Closed
Closed
@JamesNK JamesNK closed this Mar 23, 2026
@JamesNK
Copy link
Member

JamesNK commented Mar 23, 2026

Replaced with #15495

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JamesNK JamesNK JamesNK requested changes

Assignees

@adamint adamint

Labels

area-cli needs-author-action An issue or pull request that requires more info or actions from the author.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adamint @JamesNK