Merge pull request #16 from maykinmedia/issue/add-missing-next-contex…

…t-var 🐛 Ensure that mfa-disabled logins respect the ?next= query param
maykinmedia · Feb 27, 2024 · e78de35 · e78de35
2 parents 020fa9c + 3b68382
commit e78de35
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/maykin_2fa/views.py b/maykin_2fa/views.py
@@ -46,6 +46,11 @@ def get_redirect_url(self):
 
     def get_context_data(self, form, **kwargs):
         context = super().get_context_data(form, **kwargs)
+
+        # upstream doesn't provide a value for the "next" context variable at all
+        redirect_to = self.request.GET.get(self.redirect_field_name, "")
+        context.setdefault("next", redirect_to)
+
         context.update(
             {
                 **admin.site.each_context(self.request),

diff --git a/tests/test_admin_login_flow.py b/tests/test_admin_login_flow.py
@@ -76,3 +76,24 @@ def test_non_verified_user_is_logged_out(settings, totp_device, client: Client):
     assert login_response.wsgi_request.path == admin_login_url
     assertTemplateUsed(login_response, "maykin_2fa/login.html")
     assertContains(login_response, "Token")
+
+
+def test_mfa_disabled_respects_next_parameter(settings, client: Client, admin_user):
+    settings.MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS = settings.AUTHENTICATION_BACKENDS
+    admin_login_url = reverse("admin:login")
+
+    login_page = client.get(admin_login_url, {"next": "/admin/auth/user/"})
+
+    assert login_page.context["next"] == "/admin/auth/user/"
+
+    login_response = client.post(
+        admin_login_url,
+        data={
+            "admin_login_view-current_step": "auth",
+            "auth-username": admin_user.username,
+            "auth-password": "password",
+            "next": "/admin/auth/user/",
+        },
+        follow=True,
+    )
+    assert login_response.wsgi_request.path == "/admin/auth/user/"