def form_valid(self, form):
form.save()
utils.delete_unconfirmed_devices(self.request.user)
if not self.request.user.is_verified():
otp_login(self.request, form.instance)
return super().form_valid(form)
def init_otp(request):
"""
Initialize OTP after login. This sets up OTP devices
for django_otp and calls the middleware to fill
request.user.is_verified().
"""
tdev = TOTPDevice(user=request.user, name='TOTP device with LDAP secret')
try:
tdev.save()
except IntegrityError:
tdev = TOTPDevice.objects.get(user=request.user)
sdev = SOTPDevice(user=request.user, name='SOTP device with LDAP secret')
try:
sdev.save()
except IntegrityError:
pass
# if OTP is disabled, it will match already
if tdev.verify_token():
otp_login(request, tdev)
# add .is_verified()
OTPMiddleware().process_request(request)
def init_otp(request):
"""
Initialize OTP after login. This sets up OTP devices
for django_otp and calls the middleware to fill
request.user.is_verified().
"""
tdev = TOTPDevice(user=request.user,
name='TOTP device with LDAP secret')
try:
tdev.save()
except IntegrityError:
tdev = TOTPDevice.objects.get(user=request.user)
sdev = SOTPDevice(user=request.user,
name='SOTP device with LDAP secret')
try:
sdev.save()
except IntegrityError:
pass
# if OTP is disabled, it will match already
if tdev.verify_token():
otp_login(request, tdev)
# add .is_verified()
OTPMiddleware().process_request(request)
def test_verified_request(rf, superuser):
request = rf.get("/admin/")
request.user = superuser
device = TOTPDevice.objects.create(user=superuser, confirmed=True)
otp_login(request, device)
middleware = VerifyUserMiddleware()
response = middleware.process_request(request)
assert response is None
def accept(request, invitation, device, password):
user = invitation.user
user.set_password(password)
user.save()
device.confirmed = True
device.save()
devices.delete_all(user, keep=device)
invitation.delete()
user2 = authenticate(username=user.get_username(), password=password)
assert user2
login(request, user2)
otp_login(request, device)
def accept(request, invitation, device, password):
user = invitation.user
user.set_password(password)
user.save()
device.confirmed = True
device.save()
devices.delete_all(user, keep=device)
invitation.delete()
user2 = authenticate(username=user.get_username(), password=password)
assert user2
login(request, user2)
otp_login(request, device)
def otp_verify(request):
if request.method == 'POST':
redirect_to = request.POST.get(
REDIRECT_FIELD_NAME, request.GET.get(REDIRECT_FIELD_NAME, ''))
form = OTPTokenForm(request.user, request, request.POST)
if form.is_valid():
otp_login(request, request.user.otp_device)
# Ensure the user-originating redirection url is safe.
# From django.contrib.auth.views.login
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = resolve_url(settings.LOGIN_REDIRECT_URL)
return HttpResponseRedirect(redirect_to)
else:
form = OTPTokenForm(request.user, request)
return render(request, 'otp_verify.html', {
'form': form,
})
def otp_verify(request):
if request.method == 'POST':
redirect_to = request.POST.get(REDIRECT_FIELD_NAME,
request.GET.get(REDIRECT_FIELD_NAME,
''))
form = OTPTokenForm(request.user, request, request.POST)
if form.is_valid():
otp_login(request, request.user.otp_device)
# Ensure the user-originating redirection url is safe.
# From django.contrib.auth.views.login
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = resolve_url(settings.LOGIN_REDIRECT_URL)
return HttpResponseRedirect(redirect_to)
else:
form = OTPTokenForm(request.user, request)
return render(request, 'otp_verify.html', {
'form': form,
})
def login_2fa(request, next_page=None):
next_page, okay_auth, okay_2fa = _setup_view(request, next_page)
if not okay_auth:
# Stale standard-Django authentication: redirect to password login page.
return HttpResponseRedirect(settings.PASSWORD_LOGIN_URL + '?' +
urlencode({'next': next_page}))
if not okay_2fa:
# Need to do 2FA for this user.
devices = list(all_otp_devices(request.maybe_stale_user))
if not devices:
messages.add_message(
request, messages.WARNING,
'You are required to do two-factor authentication but have no device enabled. You must add one.'
)
return HttpResponseRedirect(
reverse('otp:add_topt') + '?' + urlencode({'next': next_page}))
if request.method == 'POST':
form = TokenForm(data=request.POST, devices=devices)
if form.is_valid():
# OTP is valid: record last 2FA time in SessionInfo; have django_otp record what it needs in the session
SessionInfo.just_2fa(request)
request.user = request.maybe_stale_user # otp_login looks at request.user
otp_login(request, form.device)
l = LogEntry(userid=request.user.username,
description=("2FA as %s from %s") %
(request.user.username, ip.get_ip(request)),
related_object=request.user)
l.save()
return HttpResponseRedirect(next_page)
else:
form = TokenForm()
context = {
'form': form,
}
return render(request, 'otp/login_2fa.html', context)
return HttpResponseRedirect(next_page)
def login_2fa(request, next_page=None):
next_page, okay_auth, okay_2fa = _setup_view(request, next_page)
if not okay_auth:
# Stale standard-Django authentication: redirect to password login page.
return HttpResponseRedirect(settings.PASSWORD_LOGIN_URL + '?' + urlencode({'next': next_page}))
if not okay_2fa:
# Need to do 2FA for this user.
devices = list(all_otp_devices(request.maybe_stale_user))
if not devices:
messages.add_message(request, messages.WARNING, 'You are required to do two-factor authentication but have no device enabled. You must add one.')
return HttpResponseRedirect(reverse('otp:add_topt') + '?' + urlencode({'next': next_page}))
if request.method == 'POST':
form = TokenForm(data=request.POST, devices=devices)
if form.is_valid():
# OTP is valid: record last 2FA time in SessionInfo; have django_otp record what it needs in the session
SessionInfo.just_2fa(request)
request.user = request.maybe_stale_user # otp_login looks at request.user
otp_login(request, form.device)
l = LogEntry(userid=request.user.username,
description=("2FA as %s from %s") % (request.user.username, ip.get_ip(request)),
related_object=request.user)
l.save()
return HttpResponseRedirect(next_page)
else:
form = TokenForm()
context = {
'form': form,
}
return render(request, 'otp/login_2fa.html', context)
return HttpResponseRedirect(next_page)
def form_valid(self, form):
otp_login(self.request, self.request.user.otp_device)
return super().form_valid(form)
