Logged in users accessing /login aren't redirected
See original GitHub issueMy understanding is that when a logged in user accesses /login
endpoint, she should be redirected to SECURITY_POST_LOGIN_VIEW
.
It seems that with flask-security-too==3.3.0
this behavior is broken - users aren’t redirected, they are shown login form instead. Even stranger, after successful POST they still don’t get redirected (while unauthenticated users that do successful POST login are redirected to SECURITY_POST_LOGIN_VIEW
)
I confirmed this behavior with flask-security-too==3.3.0
and flask-security-too==3.3.1
.
A also confirmed things work as expected with flask-security-too==3.2.0
and master branch of original flask-security
.
Here’s a log of requests when logged in user accesses login endpoint:
For flask-security-too==3.2.0
14:45:03 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:45:03] "GET /myapp/login HTTP/1.1" 302 -
14:45:03 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:45:03] "GET /myapp HTTP/1.1" 308 -
14:45:03 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:45:03] "GET /myapp/ HTTP/1.1" 200 -
For flask-security-too==3.3.0
and flask-security-too==3.3.1
14:47:55 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:47:55] "GET /myapp/login HTTP/1.1" 200 -
14:48:00 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:48:00] "POST /myapp/login HTTP/1.1" 200 -
(note that in second case I manually logged in/sent POST request after GET /login response and wasn’t redirected).
Just for completeness - when unauthenticated user accesses /login
view flow works as expected:
14:56:46 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:56:46] "GET /myapp/login HTTP/1.1" 200 -
14:56:50 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:56:50] "POST /myapp/login HTTP/1.1" 302 -
14:56:50 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:56:50] "GET /myapp HTTP/1.1" 308 -
14:56:50 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:56:50] "GET /myapp/ HTTP/1.1" 200 -
Also if logged in users accesses /login
page and then manually goes to main page, she can access it without problems, no surprises here.
Am I missing something some setting or is it really a bug? I know there were some big changes with 3.3.0
version, but I studied change log carefully and didn’t see anything that would seem connected.
Issue Analytics
- State:
- Created 4 years ago
- Comments:10 (10 by maintainers)
Top GitHub Comments
Thanks for the detailed report. I am AFK for a few days will look into it when I get back Seems like a bug
Sent from my iPhone
I checked behavior for login redirection and required 2FA with latest master (
647ff48
) and they both behave as expected 😃 Thank you very much, it’s really nice to see these inflask-security
.I have a small issue regarding
current_user.tf_primary_method
inconsistency between 2FA enabled and 2FA required, but that’s best discussed separately #226