Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Logged in users accessing /login aren't redirected

See original GitHub issue

My understanding is that when a logged in user accesses /login endpoint, she should be redirected to SECURITY_POST_LOGIN_VIEW.

It seems that with flask-security-too==3.3.0 this behavior is broken - users aren’t redirected, they are shown login form instead. Even stranger, after successful POST they still don’t get redirected (while unauthenticated users that do successful POST login are redirected to SECURITY_POST_LOGIN_VIEW)

I confirmed this behavior with flask-security-too==3.3.0 and flask-security-too==3.3.1. A also confirmed things work as expected with flask-security-too==3.2.0 and master branch of original flask-security.

Here’s a log of requests when logged in user accesses login endpoint:

For `flask-security-too==3.2.0`

14:45:03 flask.1   | 127.0.0.1 - - [28/Nov/2019 14:45:03] "GET /myapp/login HTTP/1.1" 302 -
14:45:03 flask.1   | 127.0.0.1 - - [28/Nov/2019 14:45:03] "GET /myapp HTTP/1.1" 308 -
14:45:03 flask.1   | 127.0.0.1 - - [28/Nov/2019 14:45:03] "GET /myapp/ HTTP/1.1" 200 -

For `flask-security-too==3.3.0` and `flask-security-too==3.3.1`

14:47:55 flask.1   | 127.0.0.1 - - [28/Nov/2019 14:47:55] "GET /myapp/login HTTP/1.1" 200 -
14:48:00 flask.1   | 127.0.0.1 - - [28/Nov/2019 14:48:00] "POST /myapp/login HTTP/1.1" 200 -

(note that in second case I manually logged in/sent POST request after GET /login response and wasn’t redirected).

Just for completeness - when unauthenticated user accesses /login view flow works as expected:

14:56:46 flask.1   | 127.0.0.1 - - [28/Nov/2019 14:56:46] "GET /myapp/login HTTP/1.1" 200 -
14:56:50 flask.1   | 127.0.0.1 - - [28/Nov/2019 14:56:50] "POST /myapp/login HTTP/1.1" 302 -
14:56:50 flask.1   | 127.0.0.1 - - [28/Nov/2019 14:56:50] "GET /myapp HTTP/1.1" 308 -
14:56:50 flask.1   | 127.0.0.1 - - [28/Nov/2019 14:56:50] "GET /myapp/ HTTP/1.1" 200 -

Also if logged in users accesses /login page and then manually goes to main page, she can access it without problems, no surprises here.

Am I missing something some setting or is it really a bug? I know there were some big changes with 3.3.0 version, but I studied change log carefully and didn’t see anything that would seem connected.

Issue Analytics

State:
Created 4 years ago
Comments:10 (10 by maintainers)

Top GitHub Comments

1reaction

jwag956commented, Nov 28, 2019

Thanks for the detailed report. I am AFK for a few days will look into it when I get back Seems like a bug

Sent from my iPhone

On Nov 28, 2019, at 12:58 AM, kuba-lilz notifications@github.com wrote:

My understanding is that when a logged in user accesses /login endpoint, she should be redirected to SECURITY_POST_LOGIN_VIEW.

It seems that with flask security too 3.3.0 this behavior is broken - users aren’t redirected, they are shown login form instead. Even stranger, after successful POST they still don’t get redirected (while unauthenticated users that do successful POST login are redirected to SECURITY_POST_LOGIN_VIEW)

I confirmed this behavior with flask-security-too==3.3.0 and flask-security-too==3.3.1. A also confirmed things work as expected with flask-security-too==3.2.0 and master branch of original flask-security.

Here’s a log of requests when logged in user accesses login endpoint:

For flask-security-too==3.2.0

14:45:03 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:45:03] “GET /myapp/login HTTP/1.1” 302 - 14:45:03 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:45:03] “GET /myapp HTTP/1.1” 308 - 14:45:03 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:45:03] “GET /myapp/ HTTP/1.1” 200 - For flask-security-too==3.3.0 and flask-security-too==3.3.1

14:47:55 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:47:55] “GET /lilzgauge/login HTTP/1.1” 200 - 14:48:00 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:48:00] “POST /lilzgauge/login HTTP/1.1” 200 - (note that in second case I manually logged in after GET /login response and wasn’t redirected).

Just for completeness - when unauthenticated user accesses /login view flow works as expected:

14:56:46 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:56:46] “GET /myapp/login HTTP/1.1” 200 - 14:56:50 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:56:50] “POST /myapp/login HTTP/1.1” 302 - 14:56:50 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:56:50] “GET /myapp HTTP/1.1” 308 - 14:56:50 flask.1 | 127.0.0.1 - - [28/Nov/2019 14:56:50] “GET /myapp/ HTTP/1.1” 200 - Also if logged in users accesses /login page and then manually goes to main page, she can access it without problems, no surprises here.

Am I missing something some setting or is it really a bug? I know there were some big changes with 3.3.0 version, but I studied change log carefully and didn’t see anything that would seem connected.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

0reactions

kuba-lilzcommented, Dec 5, 2019

I checked behavior for login redirection and required 2FA with latest master (647ff48) and they both behave as expected 😃 Thank you very much, it’s really nice to see these in flask-security.

I have a small issue regarding current_user.tf_primary_method inconsistency between 2FA enabled and 2FA required, but that’s best discussed separately #226