PyPI - flask-appbuilder - Versions diffs - 3.2.1rc1__py3-none-any.whl → 5.0.2rc1__py3-none-any.whl - Mend

flask-appbuilder 3.2.1rc1py3-none-any.whl → 5.0.2rc1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (228) hide show

flask_appbuilder/security/views.py CHANGED Viewed

@@ -1,24 +1,39 @@
 import datetime
 import logging
 import re
+from typing import Any, Optional
 from flask import abort, current_app, flash, g, redirect, request, session, url_for
+from flask_appbuilder._compat import as_unicode
+from flask_appbuilder.actions import action
+from flask_appbuilder.baseviews import BaseView
+from flask_appbuilder.charts.views import DirectByChartView
+from flask_appbuilder.exceptions import (
+    DeleteGroupWithUsersException,
+    DeleteRoleWithUsersException,
+)
+from flask_appbuilder.fieldwidgets import BS3PasswordFieldWidget
+from flask_appbuilder.security.decorators import has_access, no_cache
+from flask_appbuilder.security.forms import (
+    DynamicForm,
+    LoginForm_db,
+    ResetPasswordForm,
+    roles_or_groups_required,
+    UserInfoEdit,
+)
+from flask_appbuilder.security.utils import generate_random_string
+from flask_appbuilder.utils.base import get_safe_redirect, lazy_formatter_gettext
+from flask_appbuilder.validators import PasswordComplexityValidator
+from flask_appbuilder.views import expose, ModelView, SimpleFormView
+from flask_appbuilder.widgets import ListWidget, ShowWidget
 from flask_babel import lazy_gettext
 from flask_login import login_user, logout_user
 import jwt
 from werkzeug.security import generate_password_hash
+from werkzeug.wrappers import Response as WerkzeugResponse
 from wtforms import PasswordField, validators
 from wtforms.validators import EqualTo
-from .decorators import has_access
-from .forms import LoginForm_db, LoginForm_oid, ResetPasswordForm, UserInfoEdit
-from .._compat import as_unicode
-from ..actions import action
-from ..baseviews import BaseView
-from ..charts.views import DirectByChartView
-from ..fieldwidgets import BS3PasswordFieldWidget
-from ..views import expose, ModelView, SimpleFormView
-from ..widgets import ListWidget, ShowWidget
 log = logging.getLogger(__name__)
@@ -65,7 +80,7 @@ class PermissionViewModelView(ModelView):
 class ResetMyPasswordView(SimpleFormView):
     """
-        View for resetting own user password
+    View for resetting own user password
     """
     route_base = "/resetmypassword"
@@ -74,14 +89,14 @@ class ResetMyPasswordView(SimpleFormView):
     redirect_url = "/"
     message = lazy_gettext("Password Changed")
-    def form_post(self, form):
+    def form_post(self, form: DynamicForm) -> None:
         self.appbuilder.sm.reset_password(g.user.id, form.password.data)
         flash(as_unicode(self.message), "info")
 class ResetPasswordView(SimpleFormView):
     """
-        View for reseting all users password
+    View for reseting all users password
     """
     route_base = "/resetpassword"
@@ -90,7 +105,7 @@ class ResetPasswordView(SimpleFormView):
     redirect_url = "/"
     message = lazy_gettext("Password Changed")
-    def form_post(self, form):
+    def form_post(self, form: DynamicForm) -> None:
         pk = request.args.get("pk")
         self.appbuilder.sm.reset_password(pk, form.password.data)
         flash(as_unicode(self.message), "info")
@@ -102,7 +117,7 @@ class UserInfoEditView(SimpleFormView):
     redirect_url = "/"
     message = lazy_gettext("User information changed")
-    def form_get(self, form):
+    def form_get(self, form: DynamicForm) -> None:
         item = self.appbuilder.sm.get_user_by_id(g.user.id)
         # fills the form generic solution
         for key, value in form.data.items():
@@ -111,7 +126,7 @@ class UserInfoEditView(SimpleFormView):
             form_field = getattr(form, key)
             form_field.data = getattr(item, key)
-    def form_post(self, form):
+    def form_post(self, form: DynamicForm) -> None:
         form = self.form.refresh(request.form)
         item = self.appbuilder.sm.get_user_by_id(g.user.id)
         form.populate_obj(item)
@@ -119,6 +134,17 @@ class UserInfoEditView(SimpleFormView):
         flash(as_unicode(self.message), "info")
+def _roles_custom_formatter(string: str) -> str:
+    if current_app.config.get("AUTH_ROLES_SYNC_AT_LOGIN", False):
+        string += (
+            ". <div class='alert alert-warning' role='alert'>"
+            "AUTH_ROLES_SYNC_AT_LOGIN is enabled, changes to this field will "
+            "not persist between user logins."
+            "</div>"
+        )
+    return string
 class UserModelView(ModelView):
     route_base = "/users"
@@ -136,6 +162,7 @@ class UserModelView(ModelView):
         "active": lazy_gettext("Is Active?"),
         "email": lazy_gettext("Email"),
         "roles": lazy_gettext("Role"),
+        "groups": lazy_gettext("Groups"),
         "last_login": lazy_gettext("Last login"),
         "login_count": lazy_gettext("Login count"),
         "fail_login_count": lazy_gettext("Failed login count"),
@@ -151,22 +178,33 @@ class UserModelView(ModelView):
         "username": lazy_gettext(
             "Username valid for authentication on DB or LDAP, unused for OID auth"
         ),
-        "password": lazy_gettext(
-            "Please use a good password policy,"
-            " this application does not check this for you"
-        ),
+        "password": lazy_gettext("The user's password for authentication"),
         "active": lazy_gettext(
             "It's not a good policy to remove a user, just make it inactive"
         ),
         "email": lazy_gettext("The user's email, this will also be used for OID auth"),
-        "roles": lazy_gettext(
+        "roles": lazy_formatter_gettext(
             "The user role on the application,"
-            " this will associate with a list of permissions"
+            " this will associate with a list of permissions",
+            _roles_custom_formatter,
+        ),
+        "groups": lazy_formatter_gettext(
+            "The user group on the application,"
+            " this will associate with a list of roles associated with the group",
+            _roles_custom_formatter,
         ),
         "conf_password": lazy_gettext("Please rewrite the user's password to confirm"),
     }
-    list_columns = ["first_name", "last_name", "username", "email", "active", "roles"]
+    list_columns = [
+        "first_name",
+        "last_name",
+        "username",
+        "email",
+        "active",
+        "roles",
+        "groups",
+    ]
     show_fieldsets = [
         (
@@ -203,16 +241,48 @@ class UserModelView(ModelView):
             {"fields": ["first_name", "last_name", "email"], "expanded": True},
         ),
     ]
+    search_columns = [
+        "first_name",
+        "last_name",
+        "username",
+        "email",
+        "active",
+        "roles",
+        "groups",
+        "created_on",
+        "changed_on",
+        "last_login",
+        "login_count",
+        "fail_login_count",
+    ]
-    search_exclude_columns = ["password"]
-    add_columns = ["first_name", "last_name", "username", "active", "email", "roles"]
-    edit_columns = ["first_name", "last_name", "username", "active", "email", "roles"]
+    add_columns = [
+        "first_name",
+        "last_name",
+        "username",
+        "active",
+        "email",
+        "roles",
+        "groups",
+    ]
+    edit_columns = [
+        "first_name",
+        "last_name",
+        "username",
+        "active",
+        "email",
+        "roles",
+        "groups",
+    ]
     user_info_title = lazy_gettext("Your user information")
+    validators_columns = {
+        "roles": [roles_or_groups_required],
+        "groups": [roles_or_groups_required],
+    }
     @expose("/userinfo/")
     @has_access
-    def userinfo(self):
+    def userinfo(self) -> WerkzeugResponse:
         item = self.datamodel.get(g.user.id, self._base_filters)
         widgets = self._get_show_widget(
             g.user.id, item, show_fieldsets=self.user_show_fieldsets
@@ -226,27 +296,17 @@ class UserModelView(ModelView):
         )
     @action("userinfoedit", lazy_gettext("Edit User"), "", "fa-edit", multiple=False)
-    def userinfoedit(self, item):
+    def userinfoedit(self, item: Any) -> WerkzeugResponse:
         return redirect(
             url_for(self.appbuilder.sm.userinfoeditview.__name__ + ".this_form_get")
         )
-class UserOIDModelView(UserModelView):
-    """
-        View that add OID specifics to User view.
-        Override to implement your own custom view.
-        Then override useroidmodelview property on SecurityManager
-    """
-    pass
 class UserLDAPModelView(UserModelView):
     """
-        View that add LDAP specifics to User view.
-        Override to implement your own custom view.
-        Then override userldapmodelview property on SecurityManager
+    View that add LDAP specifics to User view.
+    Override to implement your own custom view.
+    Then override userldapmodelview property on SecurityManager
     """
     pass
@@ -254,9 +314,9 @@ class UserLDAPModelView(UserModelView):
 class UserOAuthModelView(UserModelView):
     """
-        View that add OAUTH specifics to User view.
-        Override to implement your own custom view.
-        Then override userldapmodelview property on SecurityManager
+    View that add OAUTH specifics to User view.
+    Override to implement your own custom view.
+    Then override userldapmodelview property on SecurityManager
     """
     pass
@@ -264,9 +324,9 @@ class UserOAuthModelView(UserModelView):
 class UserRemoteUserModelView(UserModelView):
     """
-        View that add REMOTE_USER specifics to User view.
-        Override to implement your own custom view.
-        Then override userldapmodelview property on SecurityManager
+    View that add REMOTE_USER specifics to User view.
+    Override to implement your own custom view.
+    Then override userldapmodelview property on SecurityManager
     """
     pass
@@ -274,26 +334,24 @@ class UserRemoteUserModelView(UserModelView):
 class UserDBModelView(UserModelView):
     """
-        View that add DB specifics to User view.
-        Override to implement your own custom view.
-        Then override userdbmodelview property on SecurityManager
+    View that adds DB specifics to User view.
+    Override to implement your own custom view.
+    Then override userdbmodelview property on SecurityManager
     """
     add_form_extra_fields = {
         "password": PasswordField(
             lazy_gettext("Password"),
-            description=lazy_gettext(
-                "Please use a good password policy,"
-                " this application does not check this for you"
-            ),
-            validators=[validators.DataRequired()],
+            description=lazy_gettext("The user's password for authentication"),
+            validators=[validators.DataRequired(), PasswordComplexityValidator()],
             widget=BS3PasswordFieldWidget(),
         ),
         "conf_password": PasswordField(
             lazy_gettext("Confirm Password"),
             description=lazy_gettext("Please rewrite the user's password to confirm"),
             validators=[
-                EqualTo("password", message=lazy_gettext("Passwords must match"))
+                validators.DataRequired(),
+                EqualTo("password", message=lazy_gettext("Passwords must match")),
             ],
             widget=BS3PasswordFieldWidget(),
         ),
@@ -306,13 +364,14 @@ class UserDBModelView(UserModelView):
         "active",
         "email",
         "roles",
+        "groups",
         "password",
         "conf_password",
     ]
     @expose("/show/<pk>", methods=["GET"])
     @has_access
-    def show(self, pk):
+    def show(self, pk: Any) -> WerkzeugResponse:
         actions = dict()
         actions["resetpasswords"] = self.actions.get("resetpasswords")
         item = self.datamodel.get(pk, self._base_filters)
@@ -331,7 +390,7 @@ class UserDBModelView(UserModelView):
     @expose("/userinfo/")
     @has_access
-    def userinfo(self):
+    def userinfo(self) -> WerkzeugResponse:
         actions = dict()
         actions["resetmypassword"] = self.actions.get("resetmypassword")
         actions["userinfoedit"] = self.actions.get("userinfoedit")
@@ -355,7 +414,7 @@ class UserDBModelView(UserModelView):
         "fa-lock",
         multiple=False,
     )
-    def resetmypassword(self, item):
+    def resetmypassword(self, item: Any):
         return redirect(
             url_for(self.appbuilder.sm.resetmypasswordview.__name__ + ".this_form_get")
         )
@@ -363,7 +422,7 @@ class UserDBModelView(UserModelView):
     @action(
         "resetpasswords", lazy_gettext("Reset Password"), "", "fa-lock", multiple=False
     )
-    def resetpasswords(self, item):
+    def resetpasswords(self, item: Any) -> WerkzeugResponse:
         return redirect(
             url_for(
                 self.appbuilder.sm.resetpasswordview.__name__ + ".this_form_get",
@@ -371,12 +430,16 @@ class UserDBModelView(UserModelView):
             )
         )
-    def pre_update(self, item):
+    def pre_update(self, item: Any) -> None:
         item.changed_on = datetime.datetime.now()
         item.changed_by_fk = g.user.id
-    def pre_add(self, item):
-        item.password = generate_password_hash(item.password)
+    def pre_add(self, item: Any) -> None:
+        item.password = generate_password_hash(
+            password=item.password,
+            method=current_app.config.get("FAB_PASSWORD_HASH_METHOD", "scrypt"),
+            salt_length=current_app.config.get("FAB_PASSWORD_HASH_SALT_LENGTH", 16),
+        )
 class UserStatsChartView(DirectByChartView):
@@ -453,6 +516,35 @@ class RoleModelView(ModelView):
             self.datamodel.add(new_role)
         return redirect(self.get_redirect())
+    def pre_delete(self, item):
+        if item.user:
+            self.update_redirect()
+            raise DeleteRoleWithUsersException(
+                lazy_gettext("User(s) exists in the role, cannot delete")
+            )
+class UserGroupModelView(ModelView):
+    route_base = "/groups"
+    list_title = lazy_gettext("List Groups")
+    show_title = lazy_gettext("Show Group")
+    add_title = lazy_gettext("Add Group")
+    edit_title = lazy_gettext("Edit Group")
+    list_columns = ["name", "label", "roles"]
+    show_columns = ["name", "label", "description", "users", "roles"]
+    edit_columns = ["name", "label", "description", "users", "roles"]
+    add_columns = edit_columns
+    order_columns = ["name", "label", "description"]
+    def pre_delete(self, item):
+        if item.users:
+            self.update_redirect()
+            raise DeleteGroupWithUsersException(
+                lazy_gettext("User(s) exists in the group, cannot delete")
+            )
 class RegisterUserModelView(ModelView):
     route_base = "/registeruser"
@@ -477,26 +569,32 @@ class AuthView(BaseView):
     @expose("/logout/")
     def logout(self):
         logout_user()
-        return redirect(self.appbuilder.get_url_for_index)
+        return redirect(
+            current_app.config.get(
+                "LOGOUT_REDIRECT_URL", self.appbuilder.get_url_for_index
+            )
+        )
 class AuthDBView(AuthView):
     login_template = "appbuilder/general/security/login_db.html"
     @expose("/login/", methods=["GET", "POST"])
+    @no_cache
     def login(self):
         if g.user is not None and g.user.is_authenticated:
             return redirect(self.appbuilder.get_url_for_index)
         form = LoginForm_db()
         if form.validate_on_submit():
+            next_url = get_safe_redirect(request.args.get("next", ""))
             user = self.appbuilder.sm.auth_user_db(
                 form.username.data, form.password.data
             )
             if not user:
                 flash(as_unicode(self.invalid_login_message), "warning")
-                return redirect(self.appbuilder.get_url_for_login)
+                return redirect(self.appbuilder.get_url_for_login_with(next_url))
             login_user(user, remember=False)
-            return redirect(self.appbuilder.get_url_for_index)
+            return redirect(next_url)
         return self.render_template(
             self.login_template, title=self.title, form=form, appbuilder=self.appbuilder
         )
@@ -506,132 +604,37 @@ class AuthLDAPView(AuthView):
     login_template = "appbuilder/general/security/login_ldap.html"
     @expose("/login/", methods=["GET", "POST"])
+    @no_cache
     def login(self):
         if g.user is not None and g.user.is_authenticated:
             return redirect(self.appbuilder.get_url_for_index)
         form = LoginForm_db()
         if form.validate_on_submit():
+            next_url = get_safe_redirect(request.args.get("next", ""))
             user = self.appbuilder.sm.auth_user_ldap(
                 form.username.data, form.password.data
             )
             if not user:
                 flash(as_unicode(self.invalid_login_message), "warning")
-                return redirect(self.appbuilder.get_url_for_login)
+                return redirect(self.appbuilder.get_url_for_login_with(next_url))
             login_user(user, remember=False)
-            return redirect(self.appbuilder.get_url_for_index)
+            return redirect(next_url)
         return self.render_template(
             self.login_template, title=self.title, form=form, appbuilder=self.appbuilder
         )
-    """
-        For Future Use, API Auth, must check howto keep REST stateless
-    """
-    """
-    @expose_api(name='auth',url='/api/auth')
-    def auth(self):
-        if g.user is not None and g.user.is_authenticated:
-            http_return_code = 401
-            response = make_response(
-                jsonify(
-                    {
-                        'message': 'Login Failed already authenticated',
-                        'severity': 'critical'
-                    }
-                ),
-                http_return_code
-            )
-        username = str(request.args.get('username'))
-        password = str(request.args.get('password'))
-        user = self.appbuilder.sm.auth_user_ldap(username, password)
-        if not user:
-            http_return_code = 401
-            response = make_response(
-                jsonify(
-                    {
-                        'message': 'Login Failed',
-                        'severity': 'critical'
-                    }
-                ),
-                http_return_code
-            )
-        else:
-            login_user(user, remember=False)
-            http_return_code = 201
-            response = make_response(
-                jsonify(
-                    {
-                        'message': 'Login Success',
-                         'severity': 'info'
-                    }
-                ),
-                http_return_code
-            )
-        return response
-    """
-class AuthOIDView(AuthView):
-    login_template = "appbuilder/general/security/login_oid.html"
-    oid_ask_for = ["email"]
-    oid_ask_for_optional = []
-    def __init__(self):
-        super(AuthOIDView, self).__init__()
-    @expose("/login/", methods=["GET", "POST"])
-    def login(self, flag=True):
-        @self.appbuilder.sm.oid.loginhandler
-        def login_handler(self):
-            if g.user is not None and g.user.is_authenticated:
-                return redirect(self.appbuilder.get_url_for_index)
-            form = LoginForm_oid()
-            if form.validate_on_submit():
-                session["remember_me"] = form.remember_me.data
-                return self.appbuilder.sm.oid.try_login(
-                    form.openid.data,
-                    ask_for=self.oid_ask_for,
-                    ask_for_optional=self.oid_ask_for_optional,
-                )
-            return self.render_template(
-                self.login_template,
-                title=self.title,
-                form=form,
-                providers=self.appbuilder.sm.openid_providers,
-                appbuilder=self.appbuilder,
-            )
-        @self.appbuilder.sm.oid.after_login
-        def after_login(resp):
-            if resp.email is None or resp.email == "":
-                flash(as_unicode(self.invalid_login_message), "warning")
-                return redirect(self.appbuilder.get_url_for_login)
-            user = self.appbuilder.sm.auth_user_oid(resp.email)
-            if user is None:
-                flash(as_unicode(self.invalid_login_message), "warning")
-                return redirect(self.appbuilder.get_url_for_login)
-            remember_me = False
-            if "remember_me" in session:
-                remember_me = session["remember_me"]
-                session.pop("remember_me", None)
-            login_user(user, remember=remember_me)
-            return redirect(self.appbuilder.get_url_for_index)
-        return login_handler(self)
 class AuthOAuthView(AuthView):
     login_template = "appbuilder/general/security/login_oauth.html"
     @expose("/login/")
     @expose("/login/<provider>")
-    @expose("/login/<provider>/<register>")
-    def login(self, provider=None, register=None):
-        log.debug("Provider: {0}".format(provider))
+    def login(self, provider: Optional[str] = None) -> WerkzeugResponse:
+        log.debug("Provider: %s", provider)
         if g.user is not None and g.user.is_authenticated:
-            log.debug("Already authenticated {0}".format(g.user))
+            log.debug("Already authenticated %s", g.user)
             return redirect(self.appbuilder.get_url_for_index)
         if provider is None:
             return self.render_template(
                 self.login_template,
@@ -639,71 +642,71 @@ class AuthOAuthView(AuthView):
                 title=self.title,
                 appbuilder=self.appbuilder,
             )
-        else:
-            log.debug("Going to call authorize for: {0}".format(provider))
-            state = jwt.encode(
-                request.args.to_dict(flat=False),
-                self.appbuilder.app.config["SECRET_KEY"],
-                algorithm="HS256",
-            )
-            try:
-                if register:
-                    log.debug("Login to Register")
-                    session["register"] = True
-                if provider == "twitter":
-                    return self.appbuilder.sm.oauth_remotes[
-                        provider
-                    ].authorize_redirect(
-                        redirect_uri=url_for(
-                            ".oauth_authorized",
-                            provider=provider,
-                            _external=True,
-                            state=state,
-                        )
-                    )
-                else:
-                    return self.appbuilder.sm.oauth_remotes[
-                        provider
-                    ].authorize_redirect(
-                        redirect_uri=url_for(
-                            ".oauth_authorized", provider=provider, _external=True
-                        ),
-                        state=state.decode("ascii")
-                        if isinstance(state, bytes)
-                        else state,
+        log.debug("Going to call authorize for: %s", provider)
+        random_state = generate_random_string()
+        state = jwt.encode(
+            request.args.to_dict(flat=False), random_state, algorithm="HS256"
+        )
+        session["oauth_state"] = random_state
+        try:
+            if provider == "twitter":
+                return self.appbuilder.sm.oauth_remotes[provider].authorize_redirect(
+                    redirect_uri=url_for(
+                        ".oauth_authorized",
+                        provider=provider,
+                        _external=True,
+                        state=state,
                     )
-            except Exception as e:
-                log.error("Error on OAuth authorize: {0}".format(e))
-                flash(as_unicode(self.invalid_login_message), "warning")
-                return redirect(self.appbuilder.get_url_for_index)
+                )
+            else:
+                return self.appbuilder.sm.oauth_remotes[provider].authorize_redirect(
+                    redirect_uri=url_for(
+                        ".oauth_authorized", provider=provider, _external=True
+                    ),
+                    state=state.decode("ascii") if isinstance(state, bytes) else state,
+                )
+        except Exception as e:
+            log.error("Error on OAuth authorize: %s", e)
+            flash(as_unicode(self.invalid_login_message), "warning")
+            return redirect(self.appbuilder.get_url_for_index)
     @expose("/oauth-authorized/<provider>")
-    def oauth_authorized(self, provider):
+    def oauth_authorized(self, provider: str) -> WerkzeugResponse:
         log.debug("Authorized init")
-        resp = self.appbuilder.sm.oauth_remotes[provider].authorize_access_token()
+        if provider not in self.appbuilder.sm.oauth_remotes:
+            flash("Provider not supported.", "warning")
+            log.warning("OAuth authorized got an unknown provider %s", provider)
+            return redirect(self.appbuilder.get_url_for_login)
+        try:
+            resp = self.appbuilder.sm.oauth_remotes[provider].authorize_access_token()
+        except Exception as e:
+            log.error("Error authorizing OAuth access token: %s", e)
+            flash("The request to sign in was denied.", "error")
+            return redirect(self.appbuilder.get_url_for_login)
         if resp is None:
-            flash(u"You denied the request to sign in.", "warning")
+            flash("You denied the request to sign in.", "warning")
             return redirect(self.appbuilder.get_url_for_login)
-        log.debug("OAUTH Authorized resp: {0}".format(resp))
+        log.debug("OAUTH Authorized resp: %s", resp)
         # Retrieves specific user info from the provider
         try:
             self.appbuilder.sm.set_oauth_session(provider, resp)
             userinfo = self.appbuilder.sm.oauth_user_info(provider, resp)
         except Exception as e:
-            log.error("Error returning OAuth user info: {0}".format(e))
+            log.error("Error returning OAuth user info: %s", e)
             user = None
         else:
-            log.debug("User info retrieved from {0}: {1}".format(provider, userinfo))
+            log.debug("User info retrieved from %s: %s", provider, userinfo)
             # User email is not whitelisted
             if provider in self.appbuilder.sm.oauth_whitelists:
                 whitelist = self.appbuilder.sm.oauth_whitelists[provider]
                 allow = False
-                for e in whitelist:
-                    if re.search(e, userinfo["email"]):
+                for email in whitelist:
+                    if "email" in userinfo and re.search(email, userinfo["email"]):
                         allow = True
                         break
                 if not allow:
-                    flash(u"You are not authorized.", "warning")
+                    flash("You are not authorized.", "warning")
                     return redirect(self.appbuilder.get_url_for_login)
             else:
                 log.debug("No whitelist for OAuth provider")
@@ -713,21 +716,19 @@ class AuthOAuthView(AuthView):
             flash(as_unicode(self.invalid_login_message), "warning")
             return redirect(self.appbuilder.get_url_for_login)
         else:
-            login_user(user)
             try:
                 state = jwt.decode(
-                    request.args["state"],
-                    self.appbuilder.app.config["SECRET_KEY"],
-                    algorithms=["HS256"],
+                    request.args["state"], session["oauth_state"], algorithms=["HS256"]
                 )
-            except jwt.InvalidTokenError:
-                raise Exception("State signature is not valid!")
-            try:
-                next_url = state["next"][0] or self.appbuilder.get_url_for_index
-            except (KeyError, IndexError):
-                next_url = self.appbuilder.get_url_for_index
+            except (jwt.InvalidTokenError, KeyError):
+                flash(as_unicode("Invalid state signature"), "warning")
+                return redirect(self.appbuilder.get_url_for_login)
+            login_user(user)
+            next_url = self.appbuilder.get_url_for_index
+            # Check if there is a next url on state
+            if "next" in state and len(state["next"]) > 0:
+                next_url = get_safe_redirect(state["next"][0])
             return redirect(next_url)
@@ -735,10 +736,11 @@ class AuthRemoteUserView(AuthView):
     login_template = ""
     @expose("/login/")
-    def login(self):
-        username = request.environ.get("REMOTE_USER")
+    def login(self) -> WerkzeugResponse:
+        username = request.environ.get(self.appbuilder.sm.auth_remote_user_env_var)
         if g.user is not None and g.user.is_authenticated:
-            return redirect(self.appbuilder.get_url_for_index)
+            next_url = request.args.get("next", "")
+            return redirect(get_safe_redirect(next_url))
         if username:
             user = self.appbuilder.sm.auth_user_remote_user(username)
             if user is None:
@@ -747,4 +749,5 @@ class AuthRemoteUserView(AuthView):
                 login_user(user)
         else:
             flash(as_unicode(self.invalid_login_message), "warning")
-        return redirect(self.appbuilder.get_url_for_index)
+        next_url = request.args.get("next", "")
+        return redirect(get_safe_redirect(next_url))

flask-appbuilder 3.2.1rc1__py3-none-any.whl → 5.0.2rc1__py3-none-any.whl

flask-appbuilder 3.2.1rc1py3-none-any.whl → 5.0.2rc1py3-none-any.whl