Avoid showing the Login page if already logged in, and fix redirect loops.

Review Request #13438 — Created Nov. 27, 2023 and submitted

Information

Review Board
release-5.0.x

Reviewers

While working with a customer, I witnessed some confusion where the user
tried to log in, got redirected back to the Log In page, and then
thought they hadn't successfully logged in. This was occurring because
they were navigating to the Log In page, clicking Log In in the
navigation bar, and ending up back to the Log In page with a redirect
URL set back to the same page. Worse, if clicking Log In from the Log
Out page, users would get logged out immediately after logging in.

To avoid these situations, we now redirect away from the Log In page if
the user is already logged in. We only do this after we check for all
the SSO/client-side login flows, so that we don't disrupt those.

If the destination page would be the Log In or Log Out pages, we
normalize it back out to root URL for the server/Local Site. This
avoids these loops, and helpfully ensures users won't get immediately
logged out when logging in.

Django has a mechanism to do these sort of checks, but it doesn't handle
the redirect-to-login case. Actually, it does, but it handles it via
raising an exception. Our approach is more tailored to our needs.

Tested logging in and redirecting.

Tested visiting the page while already logged in, and testing without
a login redirect, with a suitable redirect, and with a redirect loop.

Performed the same test when clicking the Log In link from the Log Out
page.

Unit tests pass.

Summary ID
Avoid showing the Login page if already logged in, and fix redirect loops.
While working with a customer, I witnessed some confusion where the user tried to log in, got redirected back to the Log In page, and then thought they hadn't successfully logged in. This was occurring because they were navigating to the Log In page, clicking Log In in the navigation bar, and ending up back to the Log In page with a redirect URL set back to the same page. Worse, if clicking Log In from the Log Out page, users would get logged out immediately after logging in. To avoid these situations, we now redirect away from the Log In page if the user is already logged in. We only do this after we check for all the SSO/client-side login flows, so that we don't disrupt those. If the destination page would be the Log In or Log Out pages, we normalize it back out to root URL for the server/Local Site. This avoids these loops, and helpfully ensures users won't get immediately logged out when logging in. Django has a mechanism to do these sort of checks, but it doesn't handle the redirect-to-login case. Actually, it does, but it handles it via raising an exception. Our approach is more tailored to our needs.
7f79fb8b9d89b2aecce0d7f13248737aa832073f
david
  1. Ship It!
  2. 
      
maubin
  1. Ship It!
  2. 
      
chipx86
Review request changed
Status:
Completed
Change Summary:
Pushed to release-5.0.x (f2fd73d)