def form_valid(self, form): form.save() utils.delete_unconfirmed_devices(self.request.user) if not self.request.user.is_verified(): otp_login(self.request, form.instance) return super().form_valid(form)
def init_otp(request): """ Initialize OTP after login. This sets up OTP devices for django_otp and calls the middleware to fill request.user.is_verified(). """ tdev = TOTPDevice(user=request.user, name='TOTP device with LDAP secret') try: tdev.save() except IntegrityError: tdev = TOTPDevice.objects.get(user=request.user) sdev = SOTPDevice(user=request.user, name='SOTP device with LDAP secret') try: sdev.save() except IntegrityError: pass # if OTP is disabled, it will match already if tdev.verify_token(): otp_login(request, tdev) # add .is_verified() OTPMiddleware().process_request(request)
def test_verified_request(rf, superuser): request = rf.get("/admin/") request.user = superuser device = TOTPDevice.objects.create(user=superuser, confirmed=True) otp_login(request, device) middleware = VerifyUserMiddleware() response = middleware.process_request(request) assert response is None
def accept(request, invitation, device, password): user = invitation.user user.set_password(password) user.save() device.confirmed = True device.save() devices.delete_all(user, keep=device) invitation.delete() user2 = authenticate(username=user.get_username(), password=password) assert user2 login(request, user2) otp_login(request, device)
def otp_verify(request): if request.method == 'POST': redirect_to = request.POST.get( REDIRECT_FIELD_NAME, request.GET.get(REDIRECT_FIELD_NAME, '')) form = OTPTokenForm(request.user, request, request.POST) if form.is_valid(): otp_login(request, request.user.otp_device) # Ensure the user-originating redirection url is safe. # From django.contrib.auth.views.login if not is_safe_url(url=redirect_to, host=request.get_host()): redirect_to = resolve_url(settings.LOGIN_REDIRECT_URL) return HttpResponseRedirect(redirect_to) else: form = OTPTokenForm(request.user, request) return render(request, 'otp_verify.html', { 'form': form, })
def otp_verify(request): if request.method == 'POST': redirect_to = request.POST.get(REDIRECT_FIELD_NAME, request.GET.get(REDIRECT_FIELD_NAME, '')) form = OTPTokenForm(request.user, request, request.POST) if form.is_valid(): otp_login(request, request.user.otp_device) # Ensure the user-originating redirection url is safe. # From django.contrib.auth.views.login if not is_safe_url(url=redirect_to, host=request.get_host()): redirect_to = resolve_url(settings.LOGIN_REDIRECT_URL) return HttpResponseRedirect(redirect_to) else: form = OTPTokenForm(request.user, request) return render(request, 'otp_verify.html', { 'form': form, })
def login_2fa(request, next_page=None): next_page, okay_auth, okay_2fa = _setup_view(request, next_page) if not okay_auth: # Stale standard-Django authentication: redirect to password login page. return HttpResponseRedirect(settings.PASSWORD_LOGIN_URL + '?' + urlencode({'next': next_page})) if not okay_2fa: # Need to do 2FA for this user. devices = list(all_otp_devices(request.maybe_stale_user)) if not devices: messages.add_message( request, messages.WARNING, 'You are required to do two-factor authentication but have no device enabled. You must add one.' ) return HttpResponseRedirect( reverse('otp:add_topt') + '?' + urlencode({'next': next_page})) if request.method == 'POST': form = TokenForm(data=request.POST, devices=devices) if form.is_valid(): # OTP is valid: record last 2FA time in SessionInfo; have django_otp record what it needs in the session SessionInfo.just_2fa(request) request.user = request.maybe_stale_user # otp_login looks at request.user otp_login(request, form.device) l = LogEntry(userid=request.user.username, description=("2FA as %s from %s") % (request.user.username, ip.get_ip(request)), related_object=request.user) l.save() return HttpResponseRedirect(next_page) else: form = TokenForm() context = { 'form': form, } return render(request, 'otp/login_2fa.html', context) return HttpResponseRedirect(next_page)
def login_2fa(request, next_page=None): next_page, okay_auth, okay_2fa = _setup_view(request, next_page) if not okay_auth: # Stale standard-Django authentication: redirect to password login page. return HttpResponseRedirect(settings.PASSWORD_LOGIN_URL + '?' + urlencode({'next': next_page})) if not okay_2fa: # Need to do 2FA for this user. devices = list(all_otp_devices(request.maybe_stale_user)) if not devices: messages.add_message(request, messages.WARNING, 'You are required to do two-factor authentication but have no device enabled. You must add one.') return HttpResponseRedirect(reverse('otp:add_topt') + '?' + urlencode({'next': next_page})) if request.method == 'POST': form = TokenForm(data=request.POST, devices=devices) if form.is_valid(): # OTP is valid: record last 2FA time in SessionInfo; have django_otp record what it needs in the session SessionInfo.just_2fa(request) request.user = request.maybe_stale_user # otp_login looks at request.user otp_login(request, form.device) l = LogEntry(userid=request.user.username, description=("2FA as %s from %s") % (request.user.username, ip.get_ip(request)), related_object=request.user) l.save() return HttpResponseRedirect(next_page) else: form = TokenForm() context = { 'form': form, } return render(request, 'otp/login_2fa.html', context) return HttpResponseRedirect(next_page)
def form_valid(self, form): otp_login(self.request, self.request.user.otp_device) return super().form_valid(form)