grow food, not lawn.

Skip to content

remove next query string from authentication logic.

Russell Ballestrini requested to merge fu-next-recursion-spammers into master 
modified:   development.ini
modified:   make_post_sell/templates/verification-challenge.j2
modified:   make_post_sell/tests/test_functional.py
modified:   make_post_sell/views/__init__.py
modified:   make_post_sell/views/authentication.py

PR Summary: Remove next Parameter from Authentication Route

Objective: This PR aims to enhance the security and maintainability of the authentication flow by removing the next parameter from the authentication route and handling redirection logic more securely.

Key Changes:

Removal of next Parameter:
    The next parameter has been completely removed from the authentication route. This change prevents potential security vulnerabilities associated with open redirects and simplifies the authentication logic.

Session-Based Redirection:
    Redirection logic now relies on session storage to handle the intended destination after successful authentication. This ensures that users are redirected to their original destination securely and without exposing sensitive data in URLs.

Updated View Decorators:
    All relevant view decorators have been updated to store the intended destination URL in the session when a user is blocked due to lack of authentication or permissions. This ensures a consistent user experience across the application.

Template Adjustments:
    The verification-challenge.j2 template has been updated to remove any hidden fields related to next, reflecting the new session-based approach.

Test Suite Updates:
    The test suite has been revised to align with the new authentication flow. Tests now ensure that session handling is correctly implemented and that users are redirected appropriately after authentication.

Benefits:

Enhanced Security: By removing the next parameter from URLs, the application mitigates risks associated with URL manipulation and open redirects.
Improved Maintainability: The authentication logic is now more straightforward, relying on server-side session management rather than client-side URL parameters.
Consistent User Experience: Users are seamlessly redirected to their intended destinations after logging in, without the need for query parameters.

Testing:

Comprehensive testing has been conducted to ensure that the new authentication flow works as expected, with particular focus on session management and redirection logic.

PR body by fxhp-bot

Edited by Russell Ballestrini

Merge request reports

All source code donated into the public domain. All trademarks reserved, including: unturf, Remarkbox, Make Post Sell