-
-
Notifications
You must be signed in to change notification settings - Fork 449
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds middleware to enforce 2fa #284
base: master
Are you sure you want to change the base?
Adds middleware to enforce 2fa #284
Conversation
@Bouke Please check if the following change is required or not. If yes, Please share if you want any modifications as well. |
Codecov Report
@@ Coverage Diff @@
## master #284 +/- ##
==========================================
- Coverage 96.52% 95.84% -0.69%
==========================================
Files 39 40 +1
Lines 1640 1660 +20
Branches 116 118 +2
==========================================
+ Hits 1583 1591 +8
- Misses 35 47 +12
Partials 22 22
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As well as my comments, there are also no tests.
"""Wrap around actual Admin calls.""" | ||
response = self.get_response(request) | ||
if resolve(request.path).app_name == 'two_factor' or ( | ||
resolve(request.path).url_name == 'logout'): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do we know the logout URL is called logout?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@moggers87 Is there any way of knowing this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not that I know of.
two_factor/middleware/enforce2fa.py
Outdated
self.get_response = get_response | ||
|
||
def __call__(self, request): | ||
"""Wrap around actual Admin calls.""" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code won't limit itself to just the admin site as it makes no such check. Either code needs to do what the comment says or the comment needs changing.
two_factor/middleware/enforce2fa.py
Outdated
from django.urls import resolve, reverse | ||
|
||
|
||
class Enforce2FAMiddleware: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This package still supports Python 2.7 for Django 1.11, so that should be a subclass of object
.
Description
As far as I know, The current 2FA enforcement involves admin intervention. With the following change, people can directly include middleware in the settings file and things will work out of the box.
Motivation and Context
We are using this software for in our django app. We wanted to enforce 2FA. But the existing solution doesn't allowed the free movement and stopped the user from moving forward if the user has not enabled 2FA.
We wanted it differently, we wanted the users to move forward but only to the urls where the user can either
logout
or enable 2FA.How Has This Been Tested?
Screenshots (if appropriate):
Types of changes
Checklist: