The verify view was not passing along the next param to the two factor

view. Now if it is passed and it is a url on the same domain that request originates from then it is used.
2026-02-05 10:53:28 -05:00 · 2016-03-14 16:30:48 +00:00
parent 05947d047a
commit 8561391cd2
3 changed files with 66 additions and 3 deletions
--- a/app/main/views/sign_in.py
+++ b/app/main/views/sign_in.py
@@ -4,7 +4,8 @@ from flask import (
    url_for,
    session,
    abort,
-    flash
+    flash,
+    request
 )

 from flask.ext.login import (current_user, login_fresh, confirm_login)
@@ -41,7 +42,10 @@ def sign_in():
                return redirect(url_for('.verify'))
            elif user.is_active():
                users_dao.send_verify_code(user.id, 'sms', user.mobile_number)
-                return redirect(url_for('.two_factor'))
+                if request.args.get('next'):
+                    return redirect(url_for('.two_factor', next=request.args.get('next')))
+                else:
+                    return redirect(url_for('.two_factor'))
        # Vague error message for login in case of user not known, locked, inactive or password not verified
        flash('Username or password is incorrect')

--- a/app/main/views/two_factor.py
+++ b/app/main/views/two_factor.py
@@ -3,7 +3,8 @@ from flask import (
    render_template,
    redirect,
    session,
-    url_for
+    url_for,
+    request
 )

 from flask_login import login_user
@@ -37,9 +38,23 @@ def two_factor():
            login_user(user, remember=True)
        finally:
            del session['user_details']
+
+        next_url = request.args.get('next')
+        if next_url and _is_safe_redirect_url(next_url):
+            return redirect(next_url)
+
        if len(services) == 1:
            return redirect(url_for('main.service_dashboard', service_id=services[0]['id']))
        else:
            return redirect(url_for('main.choose_service'))

    return render_template('views/two-factor.html', form=form)
+
+
+# see http://flask.pocoo.org/snippets/62/
+def _is_safe_redirect_url(target):
+    from urllib.parse import urlparse, urljoin
+    host_url = urlparse(request.host_url)
+    redirect_url = urlparse(urljoin(request.host_url, target))
+    return redirect_url.scheme in ('http', 'https') and \
+        host_url.netloc == redirect_url.netloc