Skip to content
This repository has been archived by the owner on Jul 30, 2024. It is now read-only.

SECURITY_POST_LOGIN_VIEW conflict with 'next' #850

Open
cwohlers opened this issue Sep 25, 2019 · 3 comments
Open

SECURITY_POST_LOGIN_VIEW conflict with 'next' #850

cwohlers opened this issue Sep 25, 2019 · 3 comments

Comments

@cwohlers
Copy link

I'm having an issue with SECURITY_POST_LOGIN_VIEW that appears identical to #263 and is probably related to #261 except that I'm running Flask-Security version 3.0.0.

I'm setting my config var as

SECURITY_POST_LOGIN_VIEW = '/logged_in'

If I originate from /login exactly, the SECURITY_POST_LOGIN_VIEW works as anticipated. However users visiting / get redirected to /login?next=%2F and SECURITY_POST_LOGIN_VIEW does not work when they login.

It seems like this is an issue that has already been encountered and I'm not properly addressing something? Any thoughts?
@jwag956 jwag956 mentioned this issue Sep 26, 2019
Closed
@jwag956
Copy link
Collaborator

jwag956 commented Sep 26, 2019

I have cloned this issue to my 'fork'.

This behavior goes way back - basically - when redirecting (post login, post register, post logout) it will look first at request.args.next, then request.form.next and THEN the config view.
IMHO this isn't incorrect behavior it might be worth some new configuration options - (and certainly some additional docs).

To do what you want is actually pretty easy:
def unauth():
return flask.redirect(flask.url_for('security.login'))

security.login_manager.unauthorized_handler(unauth)

see if that works for you.

@cwohlers
Copy link
Author

cwohlers commented Sep 26, 2019
edited
Loading

Hey @jwag956, thanks for the input! I did try using the login_manager.unauthorized_handler previously. It does successfully reroute everything to /login but I actually don't want ALL unauthorized calls to reroute to /login.

For my use case I only want calls to the root endpoint (eg '/' or '/index') to utilize the SECURITY_POST_LOGIN_VIEW redirect. I would like to preserve the next value for users trying to got to other urls (eg '/profile?<query string>').

In theory I should be able to conditionally redirect in the unauth() function BUT what I've found is that FLASK-SECURITY already reroutes the request BEFORE login_manager.unauthorized_handler() is called and none of the REQUEST data is preserved. If I try to visit '/profile', by the time I have access to the request object in unauth() the endpoint has reverted to 'index' and the path is u'/'

Is there a way I could get access to the original request object for conditional rerouting?

@jwag956
Copy link
Collaborator

jwag956 commented Sep 26, 2019

Not quite sure your setup. But if you decorate your method with @login_required, and you aren't authenticated, 'unauth' will be called prior to anything in FS being called (assuming you are using session cookies and not auth tokens.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jwag956 @cwohlers