fixed 2fa for non 2fa

2024-09-21 08:28:47 +03:00 · 2023-12-29 00:56:44 +03:00 · 2023-12-29 00:56:44 +03:00 · d8c4c0a927
commit d8c4c0a927
parent bf9e2beda1
3 changed files with 18 additions and 3 deletions
--- a/akarpov/templates/users/disable_2fa.html
+++ b/akarpov/templates/users/disable_2fa.html
@ -14,7 +14,7 @@
            <form method="POST">
                {% csrf_token %}
                {% crispy form %}
-                <input type="submit" class="btn btn-primary btn-block" value="Disable 2FA">
+                <button type="submit" class="btn btn-primary btn-block" value="Disable 2FA">
            </form>
          </div>
        </div>
--- a/akarpov/users/middleware.py
+++ b/akarpov/users/middleware.py
@ -1,6 +1,8 @@
+from cacheops import cached_as
 from django.shortcuts import redirect
 from django.urls import resolve
 from django.utils.deprecation import MiddlewareMixin
+from django_otp.plugins.otp_totp.models import TOTPDevice
 from rest_framework.exceptions import AuthenticationFailed


@ -24,8 +26,20 @@ def __call__(self, request):
        otp_not_verified = not request.session.get("otp_verified", False)
        on_2fa_page = resolve(request.path_info).url_name == "enforce_otp_login"

-        # Enforce OTP token input, if user is authenticated but has not verified OTP, and is NOT on the 2FA page
-        if is_authenticated and otp_not_verified and not on_2fa_page:
+        # Caches the checker for has_otp_device
+        @cached_as(
+            TOTPDevice, timeout=15 * 60
+        )  # consider appropriate time for your use case
+        def has_otp_device(user):
+            return TOTPDevice.objects.devices_for_user(user, confirmed=True).exists()
+
+        # Enforce OTP token input, if user is authenticated, has OTP enabled but has not verified OTP
+        if (
+            is_authenticated
+            and has_otp_device(request.user)
+            and otp_not_verified
+            and not on_2fa_page
+        ):
            request.session["next"] = request.get_full_path()
            return redirect("users:enforce_otp_login")

--- a/config/settings/base.py
+++ b/config/settings/base.py
@ -77,6 +77,7 @@
    "files.*": {"ops": ("fetch", "get", "list"), "timeout": 60},
    "auth.permission": {"ops": "all", "timeout": 60 * 15},
    "music.*": {"ops": ("fetch", "get", "list"), "timeout": 60 * 15},
+    "otp_totp.totpdevice": {"ops": "all", "timeout": 15 * 60},
 }
 CACHEOPS_REDIS = env.str("REDIS_URL")