Hi there,
my GSOC student again has some issue with hidden magic in Plone PAS.
We POST from a custom login form our Webauthn credentials to /Plone/login
Our authenticateCredentials() implementation returns the tuple (user_id, user_id).
Expectation: PlonePAS should redirect to the welcome page and have the user authenticated
But we don't see any redirection. The POST request no impact the browser. Anything missing here?
The logic to finish logging in is in the login form's handleLogin method (https://github.com/plone/Products.CMFPlone/blob/master/Products/CMFPlone/browser/login/login.py#L152), which will only be called if the login button was pressed. In HTTP terms, this means including buttons.login in the form data. Since it's a post you might also need a CSRF authenticator.
PAS validation happens on every request, so if necessary you can create a custom view that does the same post-login actions as the login form (if using the login form is cumbersome).
Thanks for the point. That might be useful.
There is also the Products.PluggableAuthService.interfaces.events.IUserLoggedInEvent where you could register an event listener and implement a redirection.
Notifying the UserLoggedInEvent is one of the things that is done by the login form (well, the login form calls membership_tool.loginUser(self.request) which does it. It is not raised by PAS, as far as I know.