RequiredTwoFactor Middleware Setup Not Working

valohai / django-allauth-2fa

Two-factor authentication for Django Allauth

Other

212 stars 50 forks source link

RequiredTwoFactor Middleware Setup Not Working #104

Open roddajohn opened 4 years ago

roddajohn commented 4 years ago

Hi,

I have a custom Middleware (source below) that should link whether two factor is required to a user model field. This is working and correctly determining when two factor should be required, and when not.

However, when a user for whom two factor is required logins, and is (correctly) redirected to the setup two factor page, the token is always coming back invalid. If a user doesn't have two factor required but setups up the two factor, the token works just fine.

Any ideas?

users.middleware.RequireTwoFactorRequiredMiddleware

from allauth_2fa.middleware import BaseRequire2FAMiddleware                                               

class RequireTwoFactorRequiredMiddleware(BaseRequire2FAMiddleware):                                       
    def require_2fa(self, request):                                                                       
        return request.user.two_factor_required

Middleware ordering:

'django_otp.middleware.OTPMiddleware',
'allauth_2fa.middleware.AllauthTwoFactorMiddleware',
'users.middleware.RequireTwoFactorRequiredMiddleware'

clokep commented 4 years ago

redirected to the setup two factor page, the token is always coming back invalid. If a user doesn't have two factor required but setups up the two factor, the token works just fine.

I'm not really sure what you mean here. Do you mean they end up at the setup two-factor page (the page that shows the QR code), but when submitting it the token is rejected?

The code should be identical in both cases so I'm not sure why that would be happening. Is there a more specific error than "invalid"?

roddajohn commented 4 years ago

Yes, there are two cases:

User has two factor required, but not setup. When they login they are directed to setup two factor, I scan the QR code and enter the token -- I get the form validation error indicating the token is invalid
User does not have two factor required, and also not setup. When they setup two factor, it works fine.

Yeah that was my first glance too -- that the code is identical -- the error I'm seeing is the front end form validation error thrown when the token is invalid, found in allauth_2fa/forms.py

roddajohn commented 4 years ago

How would I get a more detailed error? Can I uncover the underlying reason why the token is invalid?

clokep commented 4 years ago

The corresponding code is in https://github.com/percipient/django-allauth-2fa/blob/f2a2e77dcc93facd5885903acddfd23af3e53b99/allauth_2fa/forms.py#L41-L49

Does the user have multiple unconfirmed devices for some reason? Could be worth sub-classing that and poking a bit at the devices and such.

roddajohn commented 4 years ago

The user has 1 unconfirmed device -- just ran the query and played around with it a little bit, seems that I can't delete the one device (it's unconfirmed).

Some other issues I came across perhaps indicated that the issue had to do with throttling and some redirects (like static pages) also throwing the two factor required. I disabled throttling and can still experience the issue -- seems very odd.

simonkern commented 2 years ago

I can redproduce this issue on my installation

simonkern commented 2 years ago

@roddajohn Any chance you are running sth similar to #113? In case there is a second request that also gets redirected to the setup 2fa page, it might overwrite the unconfirmed key of your first request, which would then make it impossible to activate 2fa.