def test(user: UserProfile) -> bool: """ :if_configured: If ``True``, an authenticated user with no confirmed OTP devices will be allowed. Default is ``False``. If ``False``, 2FA will not do any authentication. """ if_configured = settings.TWO_FACTOR_AUTHENTICATION_ENABLED if not if_configured: return True return user.is_verified() or (_user_is_authenticated(user) and not user_has_device(user))
def _verify_user(self, request, user): """ Sets OTP-related fields on an authenticated user. """ user.otp_device = None user.is_verified = functools.partial(is_verified, user) if _user_is_authenticated(user): persistent_id = request.session.get(DEVICE_ID_SESSION_KEY) device = self._device_from_persistent_id( persistent_id) if persistent_id else None if (device is not None) and (device.user_id != user.id): device = None if (device is None) and (DEVICE_ID_SESSION_KEY in request.session): del request.session[DEVICE_ID_SESSION_KEY] user.otp_device = device return user
def process_request(self, request): """ Automatically ensure users who should be logged in via OTP are. """ current_url = request.path_info # We don't need to worry about annon users if _user_is_anonymous(request.user): return None # A select few views can't be captured. For example # * Logout means we can never leave the site # * OTP login means a redirect loop when viewing the otp login url. # if current_url in self.excluded_urls_list: # FIXME: This is really poor and should be fixed. Something like # https://stackoverflow.com/a/30197797 will help, but this is still a hack. for exclude_url in self.excluded_urls_list: test_result = current_url.find(exclude_url) if test_result >= 0: logger.debug( 'Currently requested url ({0}) matches {1} in excluded urls list ({2})' .format(current_url, exclude_url, self.excluded_urls_list)) return None logger.debug('{0} visited {1} which is not excluded'.format( request.user, current_url)) # Only need to check in more detail if they are logged in if _user_is_authenticated(request.user): # Run our checks and redirect code, it lives apart to be easily overridden. if self.user_must_authenticate(request): # Returned true, send the user away logger.debug( '{0} needs to supply their second factor. Redirecting to {1}' .format(request.user, self.otp_login_url)) return HttpResponseRedirect(self.otp_login_url) # If nothing else causes a redirect, return None to finish off return None
def test(user): return user.is_verified() or (if_configured and _user_is_authenticated(user) and not user_has_device(user))