Add a URL and View to just challenge the second factor(s) for users already authenticated with password but not yet verified with token

Bastien-Brd commented 4 years ago

General summary of the issue

If a user is already logged in with single factor (password) through another mean than the two_factor.views.core.LoginView, currently there is no way to just redirect the MFA-enabled user to a "challenge device" step.

For example, when using the django auth Pasword Reset flow with post_reset_login = True, the user is logged in after a successful password reset, but has not had its second factor challenged.

Another example is when using django social auth or allowing login with external accounts in general ("Sign in with Google Account), another view is in charge of logging the user in: it would be useful to be able to then redirect the user to a token/Challenge Device step directly, skipping the two_factor LoginView auth step.

Expected Behavior

[ ] Either add a two_factor.TokenView that just challenges the second factor if the user has enabled MFA already or redirects to the Setup flow if user haas not enabled MFA yet. or
[ ] split the two_factor.LoginView into 2 views: one that just does the auth step, and one that just does the token and backup steps.

Current Behavior

There is only a two_factor.LoginView that does both auth and token steps and no way to start from the token step directly is user is already user.authenticated but not yet user.is_verified()

Possible Solution

See "Expected Behavior" above.

Context

Letting the user be authenticated from other means than the two_factor.LoginView, such as when using django social auth or at the end of successful password reset.