Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Ensure that mfa-disabled logins respect the ?next= query param #16

Merged
merged 1 commit into from
Feb 27, 2024
Merged

🐛 Ensure that mfa-disabled logins respect the ?next= query param #16

merged 1 commit into from
Feb 27, 2024

Conversation

sergei-maertens
Copy link
Member

Came across this while writing tests for Open Forms.

This is actually a defect in the upstream library, I can't seem to find a place where the next param would be provided to the template context.

pi-sigma
pi-sigma requested changes Feb 27, 2024
View reviewed changes
Copy link

@pi-sigma pi-sigma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor remarks/questions. I'm curious about the redirect, as I'm often not 100% sure how to handle this myself.

tests/test_admin_login_flow.py Show resolved Hide resolved
maykin_2fa/views.py
@@ -46,6 +46,11 @@ def get_redirect_url(self):

def get_context_data(self, form, **kwargs):
context = super().get_context_data(form, **kwargs)

# upstream doesn't provide a value for the "next" context variable at all
redirect_to = self.request.GET.get(self.redirect_field_name, "")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Why isn't the redirect defined in get_redirect_url?
  • Shouldn't we use url_has_allowed_host_and_scheme to validate the redirect?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • get_redirect_url takes it from request.POST or request.GET, but those params are empty because they're not passed to the template during the GET phase of the form

  • about url_has_allowed_host_and_scheme - yes, this happens too when consuming the redirect URL and actually doing the URL! django-two-factor-auth behaves correctly here. I have added explicit tests for this in Open Forms too to be sure :)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good to know about this behavior of get_redirect_url.

@sergei-maertens sergei-maertens merged commit e78de35 into main Feb 27, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pi-sigma pi-sigma pi-sigma approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sergei-maertens @pi-sigma