search

jazzband / django-two-factor-auth

Complete Two-Factor Authentication for Django providing the easiest integration into most Django projects.
MIT License
1.69k stars 444 forks source link

Bypass security token on debug #338

Open Kailegh opened 4 years ago

Kailegh commented 4 years ago

Hi, I have my web development server in which I work locally (192.168.0.4), I read the QR code and use the OTP without any problem However when I upload the server to another computer the tokens my mobile generates simply do not work, then I need to go to my local server, remove the MFA and enable again. Thing is the tokens do not work on two different servers although they use the same database and the OTP device is, therefore, the same.

My question is, can I use the debug mode of Django somehow to overcome the request of the security token when working locally and only ask for it on "production"? I do not intend to disable and enable the MFA of a user, I just want Django not to ask for the token on debug mode.

I have tried something like the following:

        if settings.DEBUG:
            request.user.is_verified = lambda: True
        else:
            request.user.is_verified = functools.partial(is_verified, user)

That works if the user has not enabled the MFA, but if it is already enabled when the user logs in Django asks for the token, can I overcome this somehow?

Thanks a lot for your help!

moggers87 commented 4 years ago

Where did you put this code? I see no reason why it shouldn't work.

Also, you might want to look into your servers clocks, OTP shouldn't care about being on the same server but it does care about time.

Kailegh commented 4 years ago

Where did you put this code? I see no reason why it shouldn't work.

I created a middleware function that handles where some requests should be redirected

MIDDLEWARE.append('myapp.apps.OTPEnforceMiddleware') The thing I have seen this code does is, if the user has enabled the MFA it ask for the token anyway, however if the user has not enabled it but the page requires it he can see the page with no problem. My problem, what I need, is in debug mode I do not want a user that has enable MFA to be asked for the token, is it possible?

Also, you might want to look into your servers clocks, OTP shouldn't care about being on the same server but it does care about time.

Same code working on my computer, if I run it on port 8035 using python manage.py runserver and use the QR obtained I can log without any problem, if I run the code same code on a docker container on another port it does not accept the verification token generated by the Google Authenticator. They are the same computer, may it be a problem with clock there? If so, do you have any issue how to solve it?

Thanks a lot!

moggers87 commented 4 years ago

The thing I have seen this code does is, if the user has enabled the MFA it ask for the token anyway, however if the user has not enabled it but the page requires it he can see the page with no problem. My problem, what I need, is in debug mode I do not want a user that has enable MFA to be asked for the token, is it possible?

If I've understood you correctly, you just need to add the code from your earlier comment to your middleware.

Same code working on my computer, if I run it on port 8035 using python manage.py runserver and use the QR obtained I can log without any problem, if I run the code same code on a docker container on another port it does not accept the verification token generated by the Google Authenticator. They are the same computer, may it be a problem with clock there? If so, do you have any issue how to solve it?

OK, that doesn't sound like a clock issue then. As far as I understand, docker just uses the host clock. What happens if you run the docker container on port 8035 as you did with runserver?