feat: redirect to original page after login (#18545)

Leaving the insecure cookie alive when not logged in leads to confusing
client-side include behavior, as the last HTTP request from CSI is the
current user indicator, which changes the value of `request.url`.

Resolves #12986

Signed-off-by: Mike Fiedler <miketheman@gmail.com>

Author: miketheman

tests/unit/test_sessions.py

@@ -564,7 +564,8 @@ def test_invalidated_deletes_save_non_secure(self, monkeypatch, pyramid_request)
         response = pretend.stub(
             set_cookie=pretend.call_recorder(
                 lambda cookie, data, httponly=False, secure=True, samesite=b"none": None
-            )
+            ),
+            delete_cookie=pretend.call_recorder(lambda cookie: None),
         )
         session_factory._process_response(pyramid_request, response)
 
@@ -594,6 +595,9 @@ def test_invalidated_deletes_save_non_secure(self, monkeypatch, pyramid_request)
                 samesite=b"lax",
             )
         ]
+        assert response.delete_cookie.calls == [
+            pretend.call("user_id__insecure"),
+        ]
 
 
 class TestSessionView:

warehouse/sessions.py

@@ -16,6 +16,7 @@
 import warehouse.utils.otp as otp
 import warehouse.utils.webauthn as webauthn
 
+from warehouse.accounts.views import USER_ID_INSECURE_COOKIE
 from warehouse.cache.http import add_vary
 from warehouse.utils import crypto
 from warehouse.utils.msgpack import object_encode
@@ -305,7 +306,7 @@ def _process_response(self, request, response):
             #  > Expires: Session
             # This will allow effectively allow the cookie to live indefinitely,
             # as long as the user has interacted with the session _before_ the
-            # session key expieres in redis.
+            # session key expires in redis.
             # Once the session key has expired in redis, the session will be marked
             # as invalid and will not authenticate the account.
             response.set_cookie(
@@ -315,6 +316,12 @@ def _process_response(self, request, response):
                 secure=request.scheme == "https",
                 samesite=b"lax",
             )
+            # If there's no user associated with the session, remove the insecure cookie
+            # to prevent JavaScript access to it, which can confuse the UI.
+            # We cannot access `request.authenticated_userid` at this point in the
+            # request lifecycle, so we check the session directly.
+            if not request.session.get("auth.userid"):
+                response.delete_cookie(USER_ID_INSECURE_COOKIE)
 
 
 def session_view(view, info):

warehouse/templates/base.html

@@ -40,7 +40,7 @@
              class="horizontal-menu__link">{% trans %}Sponsors{% endtrans %}</a>
         </li>
         <li class="horizontal-menu__item">
-          <a href="{{ request.route_path('accounts.login') }}"
+          <a href="{{ request.route_path('accounts.login', _query={'next': request.url }) }}"
              class="horizontal-menu__link">{% trans %}Log in{% endtrans %}</a>
         </li>
         <li class="horizontal-menu__item">

warehouse/templates/pages/sitemap.html

@@ -22,7 +22,7 @@ <h2 class="no-top-padding">{% trans %}Using PyPI{% endtrans %}</h2>
       <h2>{% trans %}Authentication{% endtrans %}</h2>
       <ul>
         <li>
-          <a href="{{ request.route_url('accounts.login') }}">{% trans %}Login{% endtrans %}</a>
+          <a href="{{ request.route_url('accounts.login', _query={'next': request.url}) }}">{% trans %}Login{% endtrans %}</a>
         </li>
         <li>
           <a href="{{ request.route_url('accounts.register') }}">{% trans %}Register{% endtrans %}</a>