Open WayneLambert opened 3 years ago
[x] Set up a mixin for DeviceAuthUserMixin
[x] Set up a mixin for EmailAuthUserMixin
[x] Set up a mixin for TwoFactorAuthUserMixin
[x] Send an email to the user once they have set up their two-factor authentication
[x] Set a token_valid_expiration_date
[x] Set up a pathway redirect upon login that directs an email authenticator to a screen that accepts the email token
[x] Logic needs to check that the token is within its expiration date (28 days)
[x] Set up throttling on the user
[x] Resolve testing issue which emulates a user being verified/authenticated with their second factor.
Scenario 1: The user does not exist (mickey-mouse)
Scenario 2: The user exists but is not set up for 2FA at all (john-terry - 7)
Scenario 3: The user exists and is using the device token method of 2FA (james-bond - 62)
Scenario 4: The user exists and is attempting to 2FA with an expired email token (donald-trump - 66)
Scenario 5: The user exists and uses an unexpired email token as 2FA (bruce-willis - 67)
The testing scenarios outlined in this comment have been tested and the code works as expected.
donald-trump
now has an entry in the database for a token authentication in addition to an expired email token. How does logging in as donald now work?
The testing scenarios outlined in this comment have been tested and the code works as expected.
donald-trump
now has an entry in the database for a token authentication in addition to an expired email token. How does logging in as donald now work?
Due to the hierarchy of logic, Donald is presented with the opportunity to choose their method of 2FA again.
Need to make a decision on how long the token should be valid for weighing security against convenience.
Can I use FormView
instead of TemplateView
? Or can I manually declare the single form within the post
method which would give me access to the form object enabling access to cleaned_data
and errors
.
Can I use
FormView
instead ofTemplateView
? Or can I manually declare the single form within thepost
method which would give me access to the form object enabling access tocleaned_data
anderrors
.
The post
method included an instantiation of the form enabling access to the form data rather than the POST data.
The ProfileView
and the ProfileUpdateView
are two examples of views that should only be available within the project for users that have two-factor authenticated.
Other examples include the PostUpdateView
.
These should be used as the examples to include a custom mixin and for their corresponding tests to be adapted to emulate being two-factor authenticated.
The
ProfileView
and theProfileUpdateView
are two examples of views that should only be available within the project for users that have two-factor authenticated.Other examples include the
PostUpdateView
.These should be used as the examples to include a custom mixin and for their corresponding tests to be adapted to emulate being two-factor authenticated.
The ProfileView
is an example of where multiple permutations of the test has been set up to ensure that the intended outcome happens for each authentication status attempting to access the view.
max_length
attribute of the challenge_token
field to 255. Run makemigrations
and migrate
.from two_factor.utils import default_device
FormView
instead but attempt to use a form that inherits from forms.Form
rather than forms.ModelForm
. I think using forms.ModelForm
is blocking me being able to the FormView
.ProfileView
ProfileUpdateView
PostCreateView
PostUpdateView
Replace the django-cryptography
package with the django-encrypted-model-fields
. This is a more frequently maintained package and will not prevent the upgrade path.
This issue tracks the implementation of using either a device or email token as a second factor in their multi-factor authentication process.