I'm a little confused. The auth requires decorators redirect to (say) the login page, and stuff _next=URL() into vars. This is a bit of a hazard because vars can get corrupted in the outside world, and we check it somewhat (I'm not 100% convinced by the check, and it's all so not-DRY, but that's another story).
OTOH, Auth.__init__ has some auto_redirect logic that stores the next-URL in the session (good, that's more secure). But presumably that path is different from the decorator logic (otherwise we'd have two possible next-URLs, one in vars, one in the session). So what's the Auth() logic used for? Could these logic paths be unified? Wouldn't it be better to always store the next-URL link in the session instead of exposing it in the redirect URL? Straighten me out, please.