From eb83cad1f521301e30bbc72350d4a738ae5a5250 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Fri, 15 May 2020 15:35:48 +0200
Subject: [PATCH] auth_fc: do not resolve next url (#42822)

---
 src/authentic2_auth_fc/views.py | 2 +-
 tests/auth_fc/test_auth_fc.py   | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git src/authentic2_auth_fc/views.py src/authentic2_auth_fc/views.py
index fbdf585b..3addeee8 100644
--- src/authentic2_auth_fc/views.py
+++ src/authentic2_auth_fc/views.py
@@ -188,7 +188,7 @@ class FcOAuthSessionViewMixin(LoggerMixin):
                       {'redirect_to': next_url})
 
     def simple_redirect(self, request, next_url, *args, **kwargs):
-        return a2_utils.redirect(request, next_url, *args, **kwargs)
+        return a2_utils.redirect(request, next_url, *args, resolve=False, **kwargs)
 
     def redirect(self, request, *args, **kwargs):
         next_url = kwargs.pop('next_url', None)
diff --git tests/auth_fc/test_auth_fc.py tests/auth_fc/test_auth_fc.py
index 7ac939aa..cdde0478 100644
--- tests/auth_fc/test_auth_fc.py
+++ tests/auth_fc/test_auth_fc.py
@@ -641,3 +641,7 @@ def test_can_change_password(app, fc_settings, caplog, hooks):
     assert path(response['Location']) == '/accounts/'
     response = response.follow()
     assert len(response.pyquery('[href*="password/change"]')) > 0
+
+
+def test_invalid_next_url(app, fc_settings, caplog, hooks):
+    assert app.get('/fc/callback/?code=coin&next=JJJ72QQQ').location == 'JJJ72QQQ'
-- 
2.26.0