Comments (6)
ssimono
commented on July 20, 2024
FYI I went around this problem by overriding the default allauth login template with something like this
<form class="login" method="POST" action="{% url 'account_login' %}{% if redirect_field_value %}?{{ redirect_field_name }}={{ redirect_field_value }}{% endif %}">so the form's action attribute takes next parameter into account. But maybe allauth-2fa could benefit from handling the next parameter with POST as well
from django-allauth-2fa.
clokep
commented on July 20, 2024
Our login form looks something like this:
<form class="login" method="POST" action="{% url 'account_login' %}?{{ request.GET.urlencode }}">
{% csrf_token %}
{% bootstrap_form form layout='placeholder' %}
{% if redirect_field_value %}
<input type="hidden" name="{{ redirect_field_name }}" value="{{ redirect_field_value }}" />
{% endif %}
<button class="btn btn-info btn-block" type="submit">Log In</button>
</form>(Note that this uses django-bootstrap3, but those just render to standard HTML fields.)
It looks like we're passing forward the next parameter by passing it in as part of request.GET.urlencode? Ideally this would work with the standard allauth template/form too!
Thanks for identifying the problem so succinctly, any idea how allauth handles this parameter that passed in / what the fix would be?
from django-allauth-2fa.
ssimono
commented on July 20, 2024
Hello,
So in the form you posted, I see that you pass the next parameter with GET and POST at the same time. GET with request.GET.urlencode and POST with the hidden input. And allauth-2fa only handles GET but it is fine in your case.
I looked into allauth source and after going several layers deep I found that it takes the POST parameter and defaults to the GET parameter if not found.
So I would say that the fix for allauth-2fa would be to add this field in the authenticate form and in the authenticate template, so it gets passed to allauth if provided. I might actually try to make a PR at some point
from django-allauth-2fa.
clokep
commented on July 20, 2024
@ssimono A pull request would be appreciated! Let me know if you have any questions or need guidance. π
from django-allauth-2fa.
akx
commented on July 20, 2024
This can be a little tricky. The way we get to OTPAdapter.login() is through here: https://github.com/pennersr/django-allauth/blob/bd1d4a83b2490b7929310f9301ae8a1d4db7d54a/allauth/account/utils.py#L149-L150
The actual redirect_url, whether it's been obtained from POST, GET or static configuration, is not directly passed to the adapter... There are two ways to try to acquire it, both of which are dirty in their own ways:
- Walk up the call stack using
sys.getframe()or similar to find the bottom-mostredirect_urlstring (it should be only one frame higher than the adapter) - Assume everyone uses
nextas their redirect URL parameter/POST field name and look them up inself.requestin the adapter.
I'd personally prefer option 1.
from django-allauth-2fa.
ErwinJunge
commented on July 20, 2024
I think I've written up a standards-compliant way of fixing this for GET and POST. Tests included. See accompanying PR. It uses the pre-existing methods for getting the success_url from the view class, after getting that from the request.
from django-allauth-2fa.
Related Issues (20)
- Plan for a 1.0 release HOT 8
- Rename main branch to 'main' HOT 2
- Redirect-to-next breaks with certain view classes
- OTP login breaks with subclassed OTPAdapter
- TypeError at /account/two-factor-authenticate - exists again in 0.9 HOT 2
- Join jazzband? HOT 11
- When usinging allauth with email login the login screen does not navigate to totp entry HOT 1
- can someone point how to enable 2FA using email for all users? HOT 1
- Configurable redirect URLs HOT 1
- Not compatible with function-based login view HOT 4
- Disabling 2FA does not work with a backup token HOT 2
- Success social login directing to failed social login page HOT 2
- ALLAUTH_2FA_SETUP_SUCCESS_URL and ALLAUTH_2FA_REMOVE_SUCCESS_URL not used in views
- RestFul api use HOT 1
- Make it possible to disable 2fa without a token.
- Templates are not included in 0.11.0 wheel distribution HOT 1
- Missing dependabot config HOT 3
- When using with the latest version of django-allauth, 2FAΒ is bypassed HOT 5
- Consider where django-allauth-2fa stands now django-allauth has MFA built-in HOT 4
- user_logged_in signal from Django is executed twice
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-allauth-2fa.