Closed pennersr closed 1 year ago
The use of has_valid_totp_device
doesn't seem to check staticdevice_set
, so that's likely what's wrong.
I actually see very few uses of this at all in the code -- does logging in via backup tokens still work?!
Logging in via backup tokens works. The difference is that for logging in this form is used -- reusing logic from django-otp
:
from django_otp.forms import OTPAuthenticationFormMixin
class TOTPAuthenticateForm(OTPAuthenticationFormMixin, forms.Form)
For removal, there is only this logic:
class TOTPDeviceRemoveForm(forms.Form):
def clean_token(self):
for device in self.user.totpdevice_set.filter(confirmed=True):
if device.verify_token(token):
return token
Starting from 0.10.0 disabling 2FA requires a token, which is good. However, I would have expected that I could enter a backup token as well here, and that does not seem to be supported.