I figured it out, navigating to a login-protected route (/requests in this example) would cause a redirect to the login page with the next
parameter.
/login?next=%2Frequests
In my login template, I had this:
<form action="{{ url_for('login') }}" method='POST'>
This caused the form to be posted to the /login
route without any parameters. Removing the action
attribute or changing it to action=""
causes the form to be posted to its own url, which includes the original query string. Another option would be including next=next
in url_for.
<form action="{{ url_for('login', next=next) }}" method='POST'>