Disabling 2FA does not work with a backup token

valohai / django-allauth-2fa

Two-factor authentication for Django Allauth

Other

212 stars 51 forks source link

Disabling 2FA does not work with a backup token #152

Closed pennersr closed 1 year ago

pennersr commented 1 year ago

Starting from 0.10.0 disabling 2FA requires a token, which is good. However, I would have expected that I could enter a backup token as well here, and that does not seem to be supported.

clokep commented 1 year ago

The use of has_valid_totp_device doesn't seem to check staticdevice_set, so that's likely what's wrong.

I actually see very few uses of this at all in the code -- does logging in via backup tokens still work?!

pennersr commented 1 year ago

Logging in via backup tokens works. The difference is that for logging in this form is used -- reusing logic from django-otp:

from django_otp.forms import OTPAuthenticationFormMixin
class TOTPAuthenticateForm(OTPAuthenticationFormMixin, forms.Form)

For removal, there is only this logic:

class TOTPDeviceRemoveForm(forms.Form):
    def clean_token(self):
        for device in self.user.totpdevice_set.filter(confirmed=True):
            if device.verify_token(token):
                return token