Improper comparison between RP ID and self.request.get_host()

[lamaral]

While testing django-multifactor in my dev environment, I ran into an issue where after registering a YubiKey, I wasn't able to open the /accounts/mfa URL anymore. When trying to open it, it would go into a redirection loop between /accounts/mfa/authenticate/ and /accounts/mfa/add/.

Upon investigation, I narrowed it down to line 133 on the Authenticate view. There, self.request.get_host() is called and compared to the domain registered with the 2nd factor. The domain in that case, would be the RP ID, which doesn't include a port. On my local environment, self.request.get_host() returns hostname:8000, causing the comparison to fail and because there are no methods available, the check on line 138 redirects to the add view.

I quickly patched line 133 to read if domain != self.request.get_host().split(':')[0]: and that solved the issue for me, but I haven't done further testing to see if something else is affected.

[StevenMapes]

@oliwarner does v0.7 resolve this one, I believe it may so it can be closed if it does.