While testing django-multifactor in my dev environment, I ran into an issue where after registering a YubiKey, I wasn't able to open the /accounts/mfa URL anymore. When trying to open it, it would go into a redirection loop between /accounts/mfa/authenticate/ and /accounts/mfa/add/.
Upon investigation, I narrowed it down to line 133 on the Authenticate view. There, self.request.get_host() is called and compared to the domain registered with the 2nd factor. The domain in that case, would be the RP ID, which doesn't include a port.
On my local environment, self.request.get_host() returns hostname:8000, causing the comparison to fail and because there are no methods available, the check on line 138 redirects to the add view.
I quickly patched line 133 to read if domain != self.request.get_host().split(':')[0]: and that solved the issue for me, but I haven't done further testing to see if something else is affected.
While testing django-multifactor in my dev environment, I ran into an issue where after registering a YubiKey, I wasn't able to open the
/accounts/mfa
URL anymore. When trying to open it, it would go into a redirection loop between/accounts/mfa/authenticate/
and/accounts/mfa/add/
.Upon investigation, I narrowed it down to line 133 on the
Authenticate
view. There,self.request.get_host()
is called and compared to the domain registered with the 2nd factor. The domain in that case, would be the RP ID, which doesn't include a port. On my local environment,self.request.get_host()
returnshostname:8000
, causing the comparison to fail and because there are no methods available, the check on line 138 redirects to the add view.I quickly patched line 133 to read
if domain != self.request.get_host().split(':')[0]:
and that solved the issue for me, but I haven't done further testing to see if something else is affected.