User could not log in (`came_from` is missing for a cookie based login in)

[jugmac00]

When a user tried to login, following log entry was created

2020-03-23 06:41:25,101 ERROR   [Zope.SiteErrorLog:252][waitress] 1584942085.10.20423314325 https://mysite.de/acl_users/cookie_auth/login
Traceback (innermost last):
  Module ZPublisher.WSGIPublisher, line 162, in transaction_pubevents
  Module ZPublisher.WSGIPublisher, line 359, in publish_module
  Module ZPublisher.WSGIPublisher, line 262, in publish
  Module ZPublisher.mapply, line 85, in mapply
  Module ZPublisher.WSGIPublisher, line 63, in call_object
  Module Products.PluggableAuthService.plugins.CookieAuthHelper, line 276, in login
KeyError: 'came_from'

Setup PluggableAuthService 2.4 Zope 4.3 ...

I can only reproduce the problem when I manually delete the value of came_from from the URL

https://mysite.de/acl_users/cookie_auth/login_form?came_from=

Maybe that's what the user did.

My login form contains this code

    <input type="hidden" name="came_from" value=""
           tal:attributes="value came_from | string:"/>

I cannot remember exactly, but I think empty input fields are dropped somewhere in the publishing process?

This could explain why it then "crashes" in PAS' login method: https://github.com/zopefoundation/Products.PluggableAuthService/blob/fbaac9f29481d483c8c1b780a464ffa2b8140eb3/Products/PluggableAuthService/plugins/CookieAuthHelper.py#L276

Should we test for came_from within the login method? Or rely there is some logic in login_form template?

I cannot hardcode an URL - as there are more than one instances.

I am also not sure about the control flow when logging in. The unauthorized method handles a missing came_from but I am not sure how these two methods connect.

[jugmac00]

Added it to the next Zope sprint to clarify what to do...

[jugmac00]

decision at sprint: redirect / stay at login form, but present the user a helpful message, as in "You have been successfully logged in, but we do not know where to redirect you."