Fixed setup redirection regression

Regression in 4bd592c.

Author: PetrDlouhy

tests/test_views_login.py

@@ -38,7 +38,7 @@ def test_valid_login(self, mock_signal):
         response = self._post({'auth-username': '[email protected]',
                                'auth-password': 'secret',
                                'login_view-current_step': 'auth'})
-        self.assertRedirects(response, reverse('two_factor:setup'))
+        self.assertRedirects(response, resolve_url(settings.LOGIN_REDIRECT_URL))
 
         # No signal should be fired for non-verified user logins.
         self.assertFalse(mock_signal.called)
@@ -53,6 +53,16 @@ def test_valid_login_with_custom_redirect(self):
              'login_view-current_step': 'auth'})
         self.assertRedirects(response, redirect_url)
 
+    def test_valid_login_non_class_based_redirect(self):
+        redirect_url = reverse('plain')
+        self.create_user()
+        response = self.client.post(
+            '%s?%s' % (reverse('two_factor:login'), 'next=' + redirect_url),
+            {'auth-username': '[email protected]',
+             'auth-password': 'secret',
+             'login_view-current_step': 'auth'})
+        self.assertRedirects(response, redirect_url)
+
     def test_valid_login_with_custom_post_redirect(self):
         redirect_url = reverse('two_factor:setup')
         self.create_user()
@@ -80,8 +90,7 @@ def test_valid_login_with_allowed_external_redirect(self):
             {'auth-username': '[email protected]',
              'auth-password': 'secret',
              'login_view-current_step': 'auth'})
-        self.assertEqual(self.client.session.get('next'), redirect_url)
-        self.assertRedirects(response, reverse('two_factor:setup'), fetch_redirect_response=False)
+        self.assertRedirects(response, redirect_url, fetch_redirect_response=False)
 
     def test_valid_login_with_disallowed_external_redirect(self):
         redirect_url = 'https://test.disallowed-success-url.com'
@@ -91,7 +100,7 @@ def test_valid_login_with_disallowed_external_redirect(self):
             {'auth-username': '[email protected]',
              'auth-password': 'secret',
              'login_view-current_step': 'auth'})
-        self.assertRedirects(response, reverse('two_factor:setup'), fetch_redirect_response=False)
+        self.assertRedirects(response, reverse('two_factor:profile'), fetch_redirect_response=False)
 
     @mock.patch('two_factor.views.core.time')
     def test_valid_login_primary_key_stored(self, mock_time):
@@ -396,12 +405,12 @@ def test_login_different_user_on_existing_session(self, mock_logger):
         response = self._post({'auth-username': '[email protected]',
                                'auth-password': 'secret',
                                'login_view-current_step': 'auth'})
-        self.assertRedirects(response, reverse('two_factor:setup'))
+        self.assertRedirects(response, resolve_url(settings.LOGIN_REDIRECT_URL))
 
         response = self._post({'auth-username': '[email protected]',
                                'auth-password': 'secret',
                                'login_view-current_step': 'auth'})
-        self.assertRedirects(response, reverse('two_factor:setup'))
+        self.assertRedirects(response, resolve_url(settings.LOGIN_REDIRECT_URL))
 
     def test_missing_management_data(self):
         # missing management data
@@ -432,7 +441,7 @@ def test_login_different_user_with_otp_on_existing_session(self):
         response = self._post({'auth-username': '[email protected]',
                                'auth-password': 'secret',
                                'login_view-current_step': 'auth'})
-        self.assertRedirects(response, reverse('two_factor:setup'))
+        self.assertRedirects(response, resolve_url(settings.LOGIN_REDIRECT_URL))
 
         response = self._post({'auth-username': '[email protected]',
                                'auth-password': 'secret',

tests/urls.py

@@ -5,7 +5,7 @@
 from two_factor.urls import urlpatterns as tf_urls
 from two_factor.views import LoginView
 
-from .views import SecureView
+from .views import SecureView, plain_view
 
 urlpatterns = [
     path(
@@ -38,6 +38,11 @@
         name='custom-redirect-authenticated-user-login',
     ),
 
+    path(
+        'plain/',
+        plain_view,
+        name="plain",
+    ),
     path(
         'secure/',
         SecureView.as_view(),

tests/views.py

@@ -1,7 +1,13 @@
+from django.http import HttpResponse
 from django.views.generic import TemplateView
 
 from two_factor.views import OTPRequiredMixin
 
 
 class SecureView(OTPRequiredMixin, TemplateView):
     template_name = 'secure.html'
+
+
+def plain_view(request):
+    """ Non-class based view """
+    return HttpResponse('plain')

two_factor/views/core.py

@@ -38,6 +38,7 @@
 from two_factor.plugins.phonenumber.utils import get_available_phone_methods
 from two_factor.plugins.registry import registry
 from two_factor.utils import totp_digits
+from two_factor.views.mixins import OTPRequiredMixin
 
 from ..forms import (
     AuthenticationTokenForm, BackupTokenForm, DeviceValidationForm, MethodForm,
@@ -174,16 +175,17 @@ def done(self, form_list, **kwargs):
                                     httponly=getattr(settings, 'TWO_FACTOR_REMEMBER_COOKIE_HTTPONLY', True),
                                     samesite=getattr(settings, 'TWO_FACTOR_REMEMBER_COOKIE_SAMESITE', 'Lax'),
                                     )
-
             return response
 
         # If the user does not have a device.
-        else:
+        elif OTPRequiredMixin.is_otp_view(self.request.GET.get('next')):
             if self.request.GET.get('next'):
                 self.request.session['next'] = self.get_success_url()
             return redirect('two_factor:setup')
 
-    # Copied from django.contrib.auth.views.LoginView (Branch: stable/1.11.x)
+        return response
+
+    # Copied from django.conrib.auth.views.LoginView (Branch: stable/1.11.x)
     # https://github.com/django/django/blob/58df8aa40fe88f753ba79e091a52f236246260b3/django/contrib/auth/views.py#L63
     def get_success_url(self):
         url = self.get_redirect_url()

two_factor/views/mixins.py

@@ -2,7 +2,7 @@
 from django.contrib.auth.views import redirect_to_login
 from django.core.exceptions import PermissionDenied
 from django.template.response import TemplateResponse
-from django.urls import reverse
+from django.urls import Resolver404, resolve, reverse
 
 from ..utils import default_device
 
@@ -80,3 +80,14 @@ def dispatch(self, request, *args, **kwargs):
                     status=403,
                 )
         return super().dispatch(request, *args, **kwargs)
+
+    @classmethod
+    def is_otp_view(cls, view_path):
+        try:
+            next_resolver_match = resolve(view_path)
+        except Resolver404:
+            return False
+        return (
+            hasattr(next_resolver_match.func, 'view_class') and
+            issubclass(next_resolver_match.func.view_class, OTPRequiredMixin)
+        )