next_is_valid() doesn't exist in flask-login?

Question

Flask-login doc says we should validate next using next_is_valid(), but I can't find any such method:

Warning: You MUST validate the value of the next parameter. If you do not, your application will be vulnerable to open redirects.

@app.route('/login', methods=['GET', 'POST'])
def login():
    # Here we use a class of some kind to represent and validate our
    # client-side form data. For example, WTForms is a library that will
    # handle this for us.
    form = LoginForm()
    if form.validate_on_submit():
        # Login and validate the user.
        login_user(user)

        flask.flash('Logged in successfully.')

        next = flask.request.args.get('next')
        if not next_is_valid(next):
            return flask.abort(400)

        return flask.redirect(next or flask.url_for('index'))
    return flask.render_template('login.html', form=form)

Running this I get the error:

NameError: global name 'next_is_valid' is not defined

And if I do:

from flask.ext.login import next_is_valid
>> ImportError: cannot import name next_is_valid

Where is the next_is_valid() function, and if it doesn't exist, how do I validate the next parameter?

Answer 1

It doesn't say you must validate next with next_is_valid, only that

You MUST validate the value of the next parameter.

next_is_valid is just an example function.

You must determine if next is valid based on your own criteria. next is the url to redirect to on a successful login. If you have any permissions to apply or restrictions on your site this is where you would want to make sure they are enforced.

For example, a user could attempt to login with the request url http://example.com/login?next=admin/delete/all/users. If the login attempt was successful and the admin permission was not checked within your login function or on the endpoint itself, well, bad things could happen. It all depends on how you structure your application and control access to individual endpoints.