def test(user: UserProfile) -> bool:
"""
:if_configured: If ``True``, an authenticated user with no confirmed
OTP devices will be allowed. Default is ``False``. If ``False``,
2FA will not do any authentication.
"""
if_configured = settings.TWO_FACTOR_AUTHENTICATION_ENABLED
if not if_configured:
return True
return user.is_verified() or (_user_is_authenticated(user)
and not user_has_device(user))
def _verify_user(self, request, user):
"""
Sets OTP-related fields on an authenticated user.
"""
user.otp_device = None
user.is_verified = functools.partial(is_verified, user)
if _user_is_authenticated(user):
persistent_id = request.session.get(DEVICE_ID_SESSION_KEY)
device = self._device_from_persistent_id(
persistent_id) if persistent_id else None
if (device is not None) and (device.user_id != user.id):
device = None
if (device is None) and (DEVICE_ID_SESSION_KEY in request.session):
del request.session[DEVICE_ID_SESSION_KEY]
user.otp_device = device
return user
def process_request(self, request):
"""
Automatically ensure users who should be logged in via OTP are.
"""
current_url = request.path_info
# We don't need to worry about annon users
if _user_is_anonymous(request.user):
return None
# A select few views can't be captured. For example
# * Logout means we can never leave the site
# * OTP login means a redirect loop when viewing the otp login url.
# if current_url in self.excluded_urls_list:
# FIXME: This is really poor and should be fixed. Something like
# https://stackoverflow.com/a/30197797 will help, but this is still a hack.
for exclude_url in self.excluded_urls_list:
test_result = current_url.find(exclude_url)
if test_result >= 0:
logger.debug(
'Currently requested url ({0}) matches {1} in excluded urls list ({2})'
.format(current_url, exclude_url, self.excluded_urls_list))
return None
logger.debug('{0} visited {1} which is not excluded'.format(
request.user, current_url))
# Only need to check in more detail if they are logged in
if _user_is_authenticated(request.user):
# Run our checks and redirect code, it lives apart to be easily overridden.
if self.user_must_authenticate(request):
# Returned true, send the user away
logger.debug(
'{0} needs to supply their second factor. Redirecting to {1}'
.format(request.user, self.otp_login_url))
return HttpResponseRedirect(self.otp_login_url)
# If nothing else causes a redirect, return None to finish off
return None
def test(user):
return user.is_verified() or (if_configured
and _user_is_authenticated(user)
and not user_has_device(user))
