After the logic change, passwordless authentication no longer works.
Internal Server Error: /webauthn/authentication/begin/
Traceback (most recent call last):
File "/Users/justin/Library/Application Support/hatch/env/virtual/django-otp-webauthn/gtIbOFRn/django-otp-webauthn/lib/python3.11/site-packages/django/core/handlers/exception.py", line 55, in inner
response = get_response(request)
^^^^^^^^^^^^^^^^^^^^^
File "/Users/justin/Library/Application Support/hatch/env/virtual/django-otp-webauthn/gtIbOFRn/django-otp-webauthn/lib/python3.11/site-packages/django/core/handlers/base.py", line 197, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/justin/Library/Application Support/hatch/env/virtual/django-otp-webauthn/gtIbOFRn/django-otp-webauthn/lib/python3.11/site-packages/django/views/decorators/csrf.py", line 65, in _view_wrapper
return view_func(request, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/justin/Library/Application Support/hatch/env/virtual/django-otp-webauthn/gtIbOFRn/django-otp-webauthn/lib/python3.11/site-packages/django/views/generic/base.py", line 104, in view
return self.dispatch(request, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/justin/Library/Application Support/hatch/env/virtual/django-otp-webauthn/gtIbOFRn/django-otp-webauthn/lib/python3.11/site-packages/django/utils/decorators.py", line 48, in _wrapper
return bound_method(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/justin/Library/Application Support/hatch/env/virtual/django-otp-webauthn/gtIbOFRn/django-otp-webauthn/lib/python3.11/site-packages/django/views/decorators/cache.py", line 80, in _view_wrapper
response = view_func(request, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/justin/mobelux-projects/django-otp-webauthn/src/django_otp_webauthn/views.py", line 61, in dispatch
raise exceptions.AuthenticationDisabled()
django_otp_webauthn.exceptions.AuthenticationDisabled: Authentication is disabled.
So while that looked incorrect, the logic there was that if there was no user, then the request was unauthenticated and so could still be authenticated. Otherwise, there was a user attached to the request and so they could authenticate if they are active. Of course, within the normal flow of things, it's actually pretty unlikely that the request would have a user with is_active = False attached. Someone would definitely need to be doing something weird. It's not impossible, though.
A fix rolling back that change and adding comments explaining how it's correct is incoming.
It turns out that the lines referenced here were correct previously, but unclear as to why: https://github.com/Stormbase/django-otp-webauthn/pull/9#pullrequestreview-2178184304
After the logic change, passwordless authentication no longer works.
So while that looked incorrect, the logic there was that if there was no user, then the request was unauthenticated and so could still be authenticated. Otherwise, there was a user attached to the request and so they could authenticate if they are active. Of course, within the normal flow of things, it's actually pretty unlikely that the request would have a user with
is_active = Falseattached. Someone would definitely need to be doing something weird. It's not impossible, though.A fix rolling back that change and adding comments explaining how it's correct is incoming.