Fix redirect-after-login when using TOTP

If user has both WebAuthn and TOTP configured, when logging in, they will be asked to choose between "Use security keys" and "Use authenticator app". The "Use authenticator app" is a link to a different page (/accounts/login/two_factor/totp/). This commit makes sure the ?next= query parameter is preserved when navigating to that page. For reference, the ?next= query parameter is the URL we should redirect to after a successful login. Use case: User is logged out. They click on a bookmarked "Check Details" link. They get redirected to the login form. After entering username & password and completing 2FA, they get redirected to the "Check Details" page they originally wanted to visit.
2021-08-06 12:09:41 +03:00 · 2021-08-06 12:09:41 +03:00 · f85aec225d
commit f85aec225d
parent e6427995b7
3 changed files with 20 additions and 4 deletions
--- a/hc/accounts/tests/test_login_webauthn.py
+++ b/hc/accounts/tests/test_login_webauthn.py
@ -33,6 +33,14 @@ class LoginWebAuthnTestCase(BaseTestCase):
        r = self.client.get(self.url)
        self.assertContains(r, "Use authenticator app")

+    def test_it_preserves_next_parameter_in_totp_url(self):
+        self.profile.totp = "0" * 32
+        self.profile.save()
+
+        url = self.url + "?next=" + self.channels_url
+        r = self.client.get(url)
+        self.assertContains(r, "/login/two_factor/totp/?next=" + self.channels_url)
+
    def test_it_requires_unauthenticated_user(self):
        self.client.login(username="alice@example.org", password="password")

--- a/hc/accounts/views.py
+++ b/hc/accounts/views.py
@ -827,9 +827,17 @@ def login_webauthn(request):
    options, state = FIDO2_SERVER.authenticate_begin(credentials)
    request.session["state"] = state

+    totp_url = None
+    if user.profile.totp:
+        totp_url = reverse("hc-login-totp")
+
+        redirect_url = request.GET.get("next")
+        if _allow_redirect(redirect_url):
+            totp_url += "?next=%s" % redirect_url
+
    ctx = {
        "options": base64.b64encode(cbor.encode(options)).decode(),
-        "offer_totp": True if user.profile.totp else False,
+        "totp_url": totp_url,
    }
    return render(request, "accounts/login_webauthn.html", ctx)

--- a/templates/accounts/login_webauthn.html
+++ b/templates/accounts/login_webauthn.html
@ -13,7 +13,7 @@
    <h1>Two-factor Authentication</h1>

    <div id="pick-method">
-        {% if offer_totp %}
+        {% if totp_url %}
        <p>Please select how you want to authenticate.</p>
        {% else %}
        <p>
@ -26,8 +26,8 @@
            id="use-key-btn"
            type="button"
            class="btn btn-primary">Use security key</button>
-        {% if offer_totp %}
-        <a href="{% url 'hc-login-totp' %}" class="btn btn-default">
+        {% if totp_url %}
+        <a href="{{ totp_url }}" class="btn btn-default">
            Use authenticator app
        </a>
        {% endif %}