src/authentic2/forms/registration.py

@@ -33,6 +33,7 @@ from .. import app_settings, models
 from . import profile as profile_forms
 from .fields import PhoneField, ValidatedEmailField
 from .honeypot import HoneypotForm
+from .utils import NextUrlFormMixin
 
 User = get_user_model()
 
@@ -195,7 +196,7 @@ class RegistrationCompletionForm(RegistrationCompletionFormNoPassword):
         return self.cleaned_data
 
 
-class InputSMSCodeForm(Form):
+class InputSMSCodeForm(NextUrlFormMixin, Form):
     sms_code = CharField(
         label=_('SMS code'),
         help_text=_('The code you received by SMS.'),

src/authentic2/views.py

@@ -1122,6 +1122,7 @@ class BaseRegistrationView(HomeURLMixin, FormView):
 
         self.token = {}
         self.ou = get_default_ou()
+        self.next_url = utils_misc.select_next_url(request, None)
         # load pre-filled values when registering with email address
         if request.GET.get('token'):
             try:
@@ -1133,7 +1134,12 @@ class BaseRegistrationView(HomeURLMixin, FormView):
                 return HttpResponseBadRequest('invalid token', content_type='text/plain')
             if 'ou' in self.token:
                 self.ou = OU.objects.get(pk=self.token['ou'])
-        self.next_url = self.token.pop(REDIRECT_FIELD_NAME, utils_misc.select_next_url(request, None))
+            if self.token.get(REDIRECT_FIELD_NAME):
+                self.next_url = self.token.pop(REDIRECT_FIELD_NAME)
+        elif (next_url := request.GET.get(REDIRECT_FIELD_NAME)) and utils_misc.good_next_url(
+            request, next_url
+        ):
+            self.next_url = next_url
         set_home_url(request, self.next_url)
         return super().dispatch(request, *args, **kwargs)
 
@@ -1355,16 +1361,26 @@ class InputSMSCodeView(cbv.ValidateCSRFMixin, FormView):
             duration=120,
         )
 
-        # TODO next_url management throughout account creation process
+        params = {}
+        if 'next_url' in form.cleaned_data:
+            params[REDIRECT_FIELD_NAME] = form.cleaned_data['next_url']
         if self.code.kind == models.SMSCode.KIND_REGISTRATION:
             return utils_misc.redirect(
                 self.request,
-                reverse('registration_activate', kwargs={'registration_token': token.uuid}),
+                reverse(
+                    'registration_activate',
+                    kwargs={'registration_token': token.uuid},
+                ),
+                params=params,
             )
         elif self.code.kind == models.SMSCode.KIND_PASSWORD_LOST:
             return utils_misc.redirect(
                 self.request,
-                reverse('password_reset_confirm', kwargs={'token': token.uuid}),
+                reverse(
+                    'password_reset_confirm',
+                    kwargs={'token': token.uuid},
+                ),
+                params=params,
             )
 
 
@@ -1396,6 +1412,10 @@ class RegistrationCompletionView(CreateView):
             url = self.token[REDIRECT_FIELD_NAME]
             if redirect_url:
                 url = utils_misc.make_url(redirect_url, params={next_field: url})
+        elif (next_url := self.request.GET.get(REDIRECT_FIELD_NAME)) and utils_misc.good_next_url(
+            self.request, next_url
+        ):
+            url = next_url
         else:
             if redirect_url:
                 url = redirect_url

tests/test_registration.py

@@ -1086,3 +1086,27 @@ def test_phone_registration(app, db, settings):
 
     user = User.objects.get(first_name='John', last_name='Doe')
     assert user.phone == '+33612345678'
+
+
+def test_phone_registration_redirect_url(app, db, settings):
+    settings.A2_ACCEPT_PHONE_AUTHENTICATION = True
+    settings.SMS_URL = 'https://foo.whatever.none/'
+
+    resp = app.get('/accounts/consents/').follow()
+    resp = resp.click('Register!')
+    resp.form.set('phone_1', '612345678')
+    with HTTMock(sms_service_mock):
+        resp = resp.form.submit().follow()
+    code = SMSCode.objects.get()
+    resp.form.set('sms_code', code.value)
+    resp = resp.form.submit().follow()
+
+    resp.form.set('password1', 'Password0')
+    resp.form.set('password2', 'Password0')
+    resp.form.set('first_name', 'John')
+    resp.form.set('last_name', 'Doe')
+    resp = resp.form.submit()
+    assert resp.location == '/accounts/consents/'
+    resp.follow()
+    user = User.objects.get(first_name='John', last_name='Doe')
+    assert user.phone == '+33612345678'