Ensure user is redirected to login page after failed login. #6704

web/pgadmin/authenticate/__init__.py

@@ -18,15 +18,15 @@ from flask import current_app, flash, Response, request, url_for, \
     session, redirect, render_template
 from flask_babel import gettext
 from flask_security.views import _security, _ctx
-from flask_security.utils import get_post_logout_redirect, logout_user,\
-    config_value
+from flask_security.utils import logout_user, config_value
 
 from flask_login import current_user
 from flask_socketio import disconnect, ConnectionRefusedError
 
 
 from pgadmin.model import db, User
-from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect
+from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect, \
+    get_safe_post_logout_redirect
 from pgadmin.utils.constants import KERBEROS, INTERNAL, OAUTH2, LDAP,\
     MessageType
 from pgadmin.authenticate.registry import AuthSourceRegistry
@@ -135,7 +135,7 @@ def _login():
                           'Administrator.'),
                   MessageType.WARNING)
             logout_user()
-            return redirect(get_post_logout_redirect())
+            return redirect(get_safe_post_logout_redirect())
 
     # Validate the user
     if not auth_obj.validate():
@@ -161,7 +161,7 @@ def _login():
                     flash_login_attempt_error = None
                 flash(error, MessageType.WARNING)
 
-        return redirect(get_post_logout_redirect())
+        return redirect(get_safe_post_logout_redirect())
 
     # Authenticate the user
     status, msg = auth_obj.authenticate()
@@ -177,7 +177,7 @@ def _login():
                     'authenticate.kerberos_login'), url_for('browser.index')))
 
             flash(msg, MessageType.ERROR)
-            return redirect(get_post_logout_redirect())
+            return redirect(get_safe_post_logout_redirect())
 
         session['auth_source_manager'] = current_auth_obj
 

web/pgadmin/authenticate/oauth2.py

@@ -16,13 +16,14 @@ from flask import current_app, url_for, session, request,\
     redirect, Flask, flash
 from flask_babel import gettext
 from flask_security import login_user, current_user
-from flask_security.utils import get_post_logout_redirect, logout_user
+from flask_security.utils import logout_user
 
 from pgadmin.authenticate.internal import BaseAuthentication
 from pgadmin.model import User
 from pgadmin.tools.user_management import create_user
 from pgadmin.utils.constants import OAUTH2, MessageType
-from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect
+from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect, \
+    get_safe_post_logout_redirect
 from pgadmin.utils.csrf import pgCSRFProtect
 from pgadmin.model import db
 
@@ -69,11 +70,11 @@ def init_app(app):
     @pgCSRFProtect.exempt
     def oauth_logout():
         if not current_user.is_authenticated:
-            return redirect(get_post_logout_redirect())
+            return redirect(get_safe_post_logout_redirect())
         for key in list(session.keys()):
             session.pop(key)
         logout_user()
-        return redirect(get_post_logout_redirect())
+        return redirect(get_safe_post_logout_redirect())
 
     app.register_blueprint(blueprint)
     app.login_manager.logout_view = OAUTH2_LOGOUT

web/pgadmin/utils/__init__.py

@@ -17,7 +17,8 @@ from operator import attrgetter
 from flask import Blueprint, current_app, url_for
 from flask_babel import gettext
 from flask_security import current_user, login_required
-from flask_security.utils import get_post_login_redirect
+from flask_security.utils import get_post_login_redirect, \
+    get_post_logout_redirect
 from threading import Lock
 
 from .paths import get_storage_directory
@@ -898,3 +899,16 @@ def get_safe_post_login_redirect():
             return url
 
     return url_for('browser.index')
+
+
+def get_safe_post_logout_redirect():
+    allow_list = [
+        url_for('security.login')
+    ]
+    if "SCRIPT_NAME" in os.environ and os.environ["SCRIPT_NAME"]:
+        allow_list.append(os.environ["SCRIPT_NAME"])
+    url = get_post_logout_redirect()
+    for item in allow_list:
+        if url.startswith(item):
+            return url
+    return url_for('security.login')