CAS automatic login should respect existing destination parameter

Ok, I verified this is a bug with the CAS module. I don't think it has anything to do with that core patch, only that the core patch surfaced the problem.

Here's the problem in more detail:

- You have your site configured to force users to login when visiting /user/*
- User visits /user/login?destination=/some/other/page
- CAS event subscriber detects that user should be forced to login, so it redirects them to the CAS server to login
- Drupal core has RedirectResponseSubscriber that runs on redirect requests and checks if the URL contains a "destination" parameter in it. If so, then it sends the user to the destination instead of to the original redirect location (the CAS server).

Can you please try out this patch and see if it works for you? Not sure if the tests will pass or not. But I can fix them if this addresses your problem.

Actually here's the correct patch.

Hmpf... actually this is quite tricky, due to core's RedirectResponseSubscriber.

Imagine this scenario:

1. CAS module configured to automatically log someone in when they visit page /node/1.
2. Someone visits page /node/1?destination=/node/2.
3. Ideally, CAS should authenticate the user, and return them to the exact page /node/1?destination=/node/2.

My current path will authenticate them and return them to /node/2, which is really not quite right. The destination parameter in Drupal is meant to be used for form submissions, so that once a form is submitted on /node/1, the user would be returned to /node/2. The CAS module should not perform that redirect to /node/2.

There seems to be no way to actually return them to /node/1?destination=/node/2, because after we authenticate the user with CAS, the CAS module returns a redirect response to the /node/1?destination=/node/2, but Drupal core's RedirectResponseSubscriber would intervene and actually return them to /node/2.

What I can do instead is just strip the destination parameter entirely so that this happens:

1. CAS module configured to automatically log someone in when they visit page /node/1.
2. Someone visits page /node/1?destination=/node/2.
3. CAS module authenticates user and returns them to /node/1. The destination param is stripped.

This would at the very least fix the issue that surfaced from patch in #2582797: [Regression] login link has no destination=drupalSettings.path, so dumps you on the profile. Basically if someone visited /user/login?destination=/node/1, and CAS was configured to auto login users that visit /user/*, then it would log them in, but it would return them to the page they were on and not /node/1. It's not ideal, but not sure we can get to ideal.

Okay, I actually found a way to make this work. I think it actually simplifies things a bit too.

This may fix the tests

Let's try again

Alright I ran thru this logic again and I think this is the way to go. This is a good bug to have fixed.