make post redirects default to APPLICATION_ROOT config (#376)

Author: tysonholub

docs/configuration.rst

@@ -533,16 +533,16 @@ Login/Logout
 .. py:data:: SECURITY_POST_LOGIN_VIEW
 
     Specifies the default view to redirect to after a user logs in. This value can be set to a URL
-    or an endpoint name.
+    or an endpoint name. Defaults to the Flask config ``APPLICATION_ROOT`` value which itself defaults to ``"/"``.
 
-    Default: ``"/"``.
+    Default: ``APPLICATION_ROOT``.
 
 .. py:data:: SECURITY_POST_LOGOUT_VIEW
 
-    Specifies the default view to redirect to after a user logs out.
-    This value can be set to a URL or an endpoint name.
+    Specifies the default view to redirect to after a user logs out. This value can be set to a URL
+    or an endpoint name. Defaults to the Flask config ``APPLICATION_ROOT`` value which itself defaults to ``"/"``.
 
-    Default: ``"/"``.
+    Default: ``APPLICATION_ROOT``.
 
 
 .. py:data:: SECURITY_UNAUTHORIZED_VIEW

flask_security/core.py

@@ -1031,6 +1031,14 @@ def init_app(self, app, datastore=None, register_blueprint=None, **kwargs):
         if "mail_util_cls" not in kwargs:
             kwargs.setdefault("mail_util_cls", MailUtil)
 
+        # default post redirects to APPLICATION_ROOT, which itself defaults to "/"
+        app.config.setdefault(
+            "SECURITY_POST_LOGIN_VIEW", app.config.get("APPLICATION_ROOT", "/")
+        )
+        app.config.setdefault(
+            "SECURITY_POST_LOGOUT_VIEW", app.config.get("APPLICATION_ROOT", "/")
+        )
+
         for key, value in _default_config.items():
             app.config.setdefault("SECURITY_" + key, value)
 

flask_security/utils.py

@@ -525,7 +525,7 @@ def find_redirect(key):
     rv = (
         get_url(session.pop(key.lower(), None))
         or get_url(current_app.config[key.upper()] or None)
-        or "/"
+        or current_app.config.get("APPLICATION_ROOT", "/")
     )
     return rv
 

tests/test_misc.py

@@ -942,3 +942,41 @@ def myview():
     # This should work and not be redirected
     response = client.get("/myview", follow_redirects=False)
     assert response.status_code == 200
+
+
+def test_post_security_with_application_root(app, sqlalchemy_datastore):
+    init_app_with_options(app, sqlalchemy_datastore, **{"APPLICATION_ROOT": "/root"})
+    client = app.test_client()
+
+    response = client.post(
+        "/login", data=dict(email="matt@lp.com", password="password")
+    )
+    assert response.status_code == 302
+    assert response.headers["Location"] == "http://localhost/root"
+
+    response = client.get("/logout")
+    assert response.status_code == 302
+    assert response.headers["Location"] == "http://localhost/root"
+
+
+def test_post_security_with_application_root_and_views(app, sqlalchemy_datastore):
+    init_app_with_options(
+        app,
+        sqlalchemy_datastore,
+        **{
+            "APPLICATION_ROOT": "/root",
+            "SECURITY_POST_LOGIN_VIEW": "/post_login",
+            "SECURITY_POST_LOGOUT_VIEW": "/post_logout",
+        }
+    )
+    client = app.test_client()
+
+    response = client.post(
+        "/login", data=dict(email="matt@lp.com", password="password")
+    )
+    assert response.status_code == 302
+    assert response.headers["Location"] == "http://localhost/post_login"
+
+    response = client.get("/logout")
+    assert response.status_code == 302
+    assert response.headers["Location"] == "http://localhost/post_logout"