def _redirect_for_two_factor_authentication(user_id: UserId) -> None:
if requested_file_name(request) in (
"user_login_two_factor",
"user_webauthn_login_begin",
"user_webauthn_login_complete",
):
return
if userdb.is_two_factor_login_enabled(
user_id) and not userdb.is_two_factor_completed():
raise HTTPRedirect("user_login_two_factor.py?_origtarget=%s" %
urlencode(makeuri(request, [])))
if not userdb.is_customer_user_allowed_to_login(user_id):
raise MKAuthException(f"{user_id} may not log in here.")
if userdb.user_locked(user_id):
raise MKAuthException(f"{user_id} not authorized.")
if change_reason := userdb.need_to_change_pw(user_id, now):
raise MKAuthException(
f"{user_id} needs to change the password ({change_reason}).")
if userdb.is_two_factor_login_enabled(user_id):
if final_candidate["scope"] != "cookie":
raise MKAuthException(
f"{user_id} has two-factor authentication enabled, which can only be used in "
"interactive GUI sessions.")
if not userdb.is_two_factor_completed():
raise MKAuthException(
"The two-factor authentication needs to be passed first.")
return final_candidate
def user_from_basic_header(auth_header: str) -> Tuple[UserId, str]:
"""Decode a Basic Authorization header
Examples:
>>> user_from_basic_header("Basic Zm9vYmF6YmFyOmZvb2JhemJhcg==")
('foobazbar', 'foobazbar')
>>> import pytest