search

web2py / py4web

Other
244 stars 126 forks source link

Auth actions always generate links with appname included #910

Closed kszys closed 2 days ago

kszys commented 3 weeks ago

I run into an issue when trying to migrate my web2py projects into py4web. py4web does not have the routes.py which I used befoe to map URLs to applications. I would like to achive the following setup:

http://mydomain1.com -> /myapp1
http://mydomain2.com -> /myapp2
...

Lacking routes.py, I use nginx as a proxy with something like this (example for mydomain1.com -> /myapp1):

server {
    listen 80;

    server_name mydomain1.com;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:8000/myapp1$request_uri;
    }
}

I use the following parameter for the Auth, which should help in not using the appname in the redirects to Auth actions:

auth.param.use_appname_in_redirects = False

For the clarity of following examples, I also use:

auth.enable(route="config/auth")

This way, the redirect to Auth is done correctly - e.g., when I try to access:

http://mydomain1.com/config

which requires authentication, I get correctly redirected to:

http://mydomain1.com/config/auth/login

However, the next parameter is configured incorrectly:

?next=/myapp1/config

Also, the submit button action is set as:

action="//mydomain1.com/myapp1/config/auth/login?next=/myapp1/config/"

Notice the two myapp1 in the URL. All this means that Auth uses the appname in all these constructed links. I think it should follow the same logic (and use the same parameter) as for the redirects, actually produce something like this expected result:

action="//mydomain1.com/config/auth/login?next=/config/"

I looked at the Auth code and I figured out how to fix the next parameter. It only requires replacing:

redirect_next = request.fullpath

with the condition:

if self.auth.param.use_appname_in_redirects == False:
    redirect_next = request.fullpath.replace(f"/{request.app_name}", "")
else:
    redirect_next = request.fullpath

In two functions of AuthEnforcer - abort_or_redirect and goto_login.

On the other hand, fixing the Submit button in the auth form seems to exceed my skills a bit. It is part of how the Auth APIs are exposed and they all use the appname in their paths by defualt.

Also, after some more looking into the code, there may be also other places, when changes would be required - there are number of places where URLs are constructed. In all those places it should be fixed by:

URL( ..., use_appname=self.param.use_appname_in_redirects)

(or something similar).

kszys commented 2 weeks ago

I added a patch for this issue to the PR in #911 I also provided some comments and thoughts there, if anybody is interested.

kszys commented 2 days ago

It seems that the issue can be closed as discussed in #918