From f125420400ea8980fa718a4fdfc430d03b74113e Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 14 Feb 2023 11:33:16 +0100
Subject: [PATCH 1/2] Fix the bug reported by fastlorenzo

---
 core/admin/mailu/sso/views/base.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index f8fd5e10..539d18eb 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -62,7 +62,6 @@ def logout():
         response.set_cookie(cookie, 'empty', expires=0)
     return response
 
-
 @sso.route('/proxy', methods=['GET'])
 @sso.route('/proxy/<target>', methods=['GET'])
 def proxy(target='webmail'):
@@ -95,6 +94,8 @@ def proxy(target='webmail'):
         return flask.abort(500, 'Too many users in (domain=%s)' % domain)
     user = models.User(localpart=localpart, domain=domain)
     user.set_password(secrets.token_urlsafe())
+    flask.session.regenerate()
+    flask_login.login_user(user)
     models.db.session.add(user)
     models.db.session.commit()
     user.send_welcome()

From 6a4d8603fc3ca99a4c95fafdf9ad50171a0034d9 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 14 Feb 2023 13:41:46 +0100
Subject: [PATCH 2/2] Create the user before logging it in

---
 core/admin/mailu/sso/views/base.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index 539d18eb..5ca4a52d 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -94,10 +94,10 @@ def proxy(target='webmail'):
         return flask.abort(500, 'Too many users in (domain=%s)' % domain)
     user = models.User(localpart=localpart, domain=domain)
     user.set_password(secrets.token_urlsafe())
-    flask.session.regenerate()
-    flask_login.login_user(user)
     models.db.session.add(user)
     models.db.session.commit()
+    flask.session.regenerate()
+    flask_login.login_user(user)
     user.send_welcome()
     flask.current_app.logger.info(f'Login succeeded by proxy created user: {user} from {client_ip} through {flask.request.remote_addr}.')
     return flask.redirect(app.config['WEB_ADMIN'] if target=='admin' else app.config['WEB_WEBMAIL'])