complete the oauth flow when logged in via a session token

fixes CNVS-38458

Change-Id: Iea165f46c2f6f0214011262761fd67c40c67f7d7
Reviewed-on: https://gerrit.instructure.com/121825
Tested-by: Jenkins
Reviewed-by: Tyler Pickett <tpickett@instructure.com>
QA-Review: Tucker McKnight <tmcknight@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>

app/controllers/application_controller.rb

@@ -1003,7 +1003,7 @@ class ApplicationController < ActionController::Base
           end
           if pseudonym && pseudonym != @current_pseudonym
             return_to = session.delete(:return_to)
-            reset_session
+            reset_session_saving_keys(:oauth2)
             PseudonymSession.create!(pseudonym)
             session[:used_remember_me_token] = true if token.used_remember_me_token
           end
@@ -1013,6 +1013,11 @@ class ApplicationController < ActionController::Base
           end
         end
         return redirect_to return_to if return_to
+        if (oauth = session[:oauth2])
+          provider = Canvas::Oauth::Provider.new(oauth[:client_id], oauth[:redirect_uri], oauth[:scopes], oauth[:purpose])
+          return redirect_to Canvas::Oauth::Provider.confirmation_redirect(self, provider, pseudonym.user)
+        end
+
         # do one final redirect to get the token out of the URL
         redirect_to remove_query_params(request.original_url, 'session_token')
       end

spec/apis/auth_spec.rb

@@ -300,6 +300,14 @@ describe "API Authentication", type: :request do
         expect(response).to be_client_error
       end
 
+      it "works when the user logs in via a session_token" do
+        flow do
+          follow_redirect!
+          expect(response).to redirect_to(canvas_login_url)
+          get root_url, params: { session_token: SessionToken.new(@pseudonym.id) }
+        end
+      end
+
       context "sharding" do
         specs_require_sharding