search

jazzband / django-two-factor-auth

Complete Two-Factor Authentication for Django providing the easiest integration into most Django projects.
MIT License
1.68k stars 443 forks source link

Skipping Login check when using @otp_required decorator #176

Closed maxcanada closed 7 years ago

maxcanada commented 8 years ago

Hello!

I am implementing Django two-factor-auth on my website and I would love to have some views protected by two-FA, and some other not.

In order to do so, I use the decorator @otp_required which works great, but unfortunately asks the users to input their credentials again (to handle user sessions, I use the registration module).

Would you be able to give me a good to way to hack the form in order to just ask the user to input the token (skipping a step of the form, basically) ?

Thanks a lot,

maxcanada commented 7 years ago

I figured that for me to have what I want, I have to override the LoginView the core.py

I must change this line: 

    form_list = (
        ('auth', AuthenticationForm),
        ('token', AuthenticationTokenForm),
        ('backup', BackupTokenForm),
    )

Into this

form_list = (
    ('token', AuthenticationTokenForm),
    ('backup', BackupTokenForm),
)

And override the method get_user() to have this:

    def get_user(self):
        """
        Returns the user authenticated by the AuthenticationForm. Returns False
        if not a valid user; see also issue #65.
        """
        self.request.user.backend = 'django.contrib.auth.backends.ModelBackend'
        return self.request.user

Any suggestion on how to do that in clean way?

Bouke commented 7 years ago

If a user has enabled two factor, it will always ask the user to enter their second factor. There is no conditional logic depending on the page that's requested. The reasoning behind this is to secure the user's account -- not the page being visited per se.

There is no clean way to change how this works, as that is currently not supported by this package.