search

jazzband / django-two-factor-auth

Complete Two-Factor Authentication for Django providing the easiest integration into most Django projects.
MIT License
1.71k stars 448 forks source link

More complete instructions for setting up 2FA on custom admin #740

Closed sjpriest closed 1 month ago

sjpriest commented 1 month ago

Hi! I don't have any issues to report at the moment, but wanted to make a small suggestion regarding the documentation. I think this could also be a patch that redirects to 'two-factor:setup' as in the 'done' method of the LoginView.

It seems like no one else is encountering this problem, so maybe I took a wrong turn somewhere, but examining the OTP admin classes I found no redirect to the setup page for working admin accounts.

Expected Behavior

I expected to install the package, implement a 2FA admin site, and be redirected to 2FA setup. I have a custom admin account that I only use for the admin page.

Current Behavior

Using AdminSiteOTPRequired to create a custom admin class, the user is continuously redirected to the admin login page when logging in with correct credentials prior to setting up a 2FA device. Ultimately, I simply navigated to /account/two_factor/setup/ in the browser and successfully set up 2FA.

Possible Solution

Change the documentation to indicate how to setup initial 2FA when only applying it a custom admin page.

Steps to Reproduce (for bugs)

  1. Install package and follow installation instructions as normal.
  2. Implement a custom admin such as class OTPAdminSite(AdminSiteOTPRequired), otp_admin_site = OTPAdminSite(name='otp_admin'), with path('admin/', otp_admin_site.urls) in urls
  3. Navigate to /admin and login with working credentials
  4. You will be redirected to /admin with no additional information, as you are not yet verified.

Context

I was trying to implement 2FA on a custom admin page and it took me a long time to figure out that there was no automated 2FA setup for this use case.

Your Environment

moggers87 commented 1 month ago

I think what you're looking for is covered here: https://github.com/jazzband/django-two-factor-auth/issues/219#issuecomment-1866161347

There was a PR made to fix this, but there were some issues with tests IIRC: https://github.com/jazzband/django-two-factor-auth/pull/370

Closing this as a duplicate of #219

sjpriest commented 1 month ago

Ah, yup! Looks like that does cover it. If the pull request is held up maybe some mention of the issue could be made in the documentation? That's a much quicker and easier path to a lot less frustration.