Bug
The _set_login_session() function in skrift/controllers/auth.py clears the session for rotation but does not preserve SESSION_AUTH_NEXT, causing all ?next= redirect URLs to be lost after OAuth login.
Reproduction
- Visit
https://example.com/auth/login?next=https://subdomain.example.com/
- Login page stores
SESSION_AUTH_NEXT in the session
- Complete OAuth flow (click provider → authorize → callback)
- Expected: Redirect to
https://subdomain.example.com/
- Actual: Redirect to
/ (the default)
Root Cause
In the OAuth callback (oauth_callback), the execution order is:
flash_success(request, "Successfully logged in!")
_set_login_session(request, login_result.user) # ← session.clear() here
next_url = _get_safe_redirect_url(request, ...) # ← SESSION_AUTH_NEXT is gone
_set_login_session calls request.session.clear() for session rotation, then only restores flash, flash_messages, and _nid. SESSION_AUTH_NEXT is wiped before _get_safe_redirect_url can read it.
Suggested Fix
Preserve SESSION_AUTH_NEXT across the session rotation in _set_login_session:
def _set_login_session(request: Request, user: "User") -> None:
flash = request.session.get("flash")
flash_messages = request.session.get("flash_messages")
nid = request.session.get("_nid")
auth_next = request.session.get(SESSION_AUTH_NEXT) # ← add this
request.session.clear()
request.session[SESSION_USER_ID] = str(user.id)
request.session[SESSION_USER_NAME] = user.name
request.session[SESSION_USER_EMAIL] = user.email
request.session[SESSION_USER_PICTURE_URL] = user.picture_url
if flash is not None:
request.session["flash"] = flash
if flash_messages is not None:
request.session["flash_messages"] = flash_messages
if nid is not None:
request.session["_nid"] = nid
if auth_next is not None: # ← add this
request.session[SESSION_AUTH_NEXT] = auth_next # ← add thisSame issue exists in dummy_login_submit which follows the same pattern.
Impact
All ?next= redirect flows after login are broken. This affects any multi-domain setup (subdomains, external redirects) where the login page is on a different domain than the target.
Bug
The
_set_login_session()function inskrift/controllers/auth.pyclears the session for rotation but does not preserveSESSION_AUTH_NEXT, causing all?next=redirect URLs to be lost after OAuth login.Reproduction
https://example.com/auth/login?next=https://subdomain.example.com/SESSION_AUTH_NEXTin the sessionhttps://subdomain.example.com//(the default)Root Cause
In the OAuth callback (
oauth_callback), the execution order is:_set_login_sessioncallsrequest.session.clear()for session rotation, then only restoresflash,flash_messages, and_nid.SESSION_AUTH_NEXTis wiped before_get_safe_redirect_urlcan read it.Suggested Fix
Preserve
SESSION_AUTH_NEXTacross the session rotation in_set_login_session:Same issue exists in
dummy_login_submitwhich follows the same pattern.Impact
All
?next=redirect flows after login are broken. This affects any multi-domain setup (subdomains, external redirects) where the login page is on a different domain than the target.