Skip to content

Redirect already-logged-in users from login page safely#79

Merged
davegaeddert merged 3 commits into
masterfrom
claude/prairie-wholesale-plain-cloud-error-wo5ebh
Jul 15, 2026
Merged

Redirect already-logged-in users from login page safely#79
davegaeddert merged 3 commits into
masterfrom
claude/prairie-wholesale-plain-cloud-error-wo5ebh

Conversation

@davegaeddert

Copy link
Copy Markdown
Member

Summary

When an already-logged-in user visits the login page, they are now redirected safely using a new redirect_to_next_url() helper function that validates the redirect target and prevents open redirect vulnerabilities.

Changes

  • Added redirect_to_next_url() helper function in views.py that:

    • Redirects to the next query parameter if present and valid
    • Falls back to a default URL (typically /) for missing, empty, or external URLs
    • Catches ValueError from RedirectResponse to handle invalid external URLs safely
  • Updated LoginLinkFormView.get() to use the new helper when redirecting already-logged-in users, removing the previous form-based redirect logic

  • Updated LoginLinkSentView.get() to use the new helper for consistency

  • Updated FollowLinkView.get() to use the new helper with a custom default URL

  • Added comprehensive test coverage in TestAlreadyLoggedIn class with four test cases:

    • Redirect to home when no next parameter
    • Redirect to next parameter when valid
    • Redirect to home when next is empty
    • Redirect to home when next is an external URL (security check)

Implementation Details

The helper function uses a try/except pattern to handle RedirectResponse's built-in validation, which raises ValueError for external URLs. This provides defense-in-depth against open redirect vulnerabilities while keeping the code simple and maintainable.

https://claude.ai/code/session_01H1ZivVXdALbLRZT7sCwtt8

claude added 3 commits July 14, 2026 20:56
LoginLinkFormView.get() redirected already-logged-in users via
get_success_url(form), which reads form.cleaned_data — but the form is
never validated on a GET, so cleaned_data doesn't exist and the request
500s (seen in production as AttributeError on GET /login/).

Redirect straight to the "next" query param (or "/") instead, matching
what LoginLinkSentView already does for logged-in users.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01H1ZivVXdALbLRZT7sCwtt8
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01H1ZivVXdALbLRZT7sCwtt8
An empty ?next= slipped past the query-param default and produced a 302
with an empty Location header (a browser self-redirect loop), and an
external ?next= crashed with an unhandled ValueError from
RedirectResponse's open-redirect guard, returning a 500.

Route all three loginlink views through a shared redirect_to_next_url()
helper that falls back to the default destination in both cases.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01H1ZivVXdALbLRZT7sCwtt8
@davegaeddert

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

@davegaeddert

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

@davegaeddert davegaeddert merged commit 1486c68 into master Jul 15, 2026
8 checks passed
@davegaeddert davegaeddert deleted the claude/prairie-wholesale-plain-cloud-error-wo5ebh branch July 15, 2026 02:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants