diff --git a/InvenTree/InvenTree/forms.py b/InvenTree/InvenTree/forms.py index f4157fdad9..d0d725c2f8 100644 --- a/InvenTree/InvenTree/forms.py +++ b/InvenTree/InvenTree/forms.py @@ -15,7 +15,6 @@ from allauth.account.forms import SignupForm, set_form_field_order from allauth.exceptions import ImmediateHttpResponse from allauth.socialaccount.adapter import DefaultSocialAccountAdapter from allauth_2fa.adapter import OTPAdapter -from allauth_2fa.forms import TOTPDeviceRemoveForm from allauth_2fa.utils import user_has_valid_totp_device from crispy_forms.bootstrap import (AppendedText, PrependedAppendedText, PrependedText) @@ -270,36 +269,3 @@ class CustomSocialAccountAdapter(RegistratonMixin, DefaultSocialAccountAdapter): # Otherwise defer to the original allauth adapter. return super().login(request, user) - - -# Temporary fix for django-allauth-2fa # TODO remove -# See https://github.com/inventree/InvenTree/security/advisories/GHSA-8j76-mm54-52xq - -class CustomTOTPDeviceRemoveForm(TOTPDeviceRemoveForm): - """Custom Form to ensure a token is provided before removing MFA""" - # User must input a valid token so 2FA can be removed - token = forms.CharField( - label=_('Token'), - ) - - def __init__(self, user, **kwargs): - """Add token field.""" - super().__init__(user, **kwargs) - self.fields['token'].widget.attrs.update( - { - 'autofocus': 'autofocus', - 'autocomplete': 'off', - } - ) - - def clean_token(self): - """Ensure at least one valid token is provided.""" - # Ensure that the user has provided a valid token - token = self.cleaned_data.get('token') - - # Verify that the user has provided a valid token - for device in self.user.totpdevice_set.filter(confirmed=True): - if device.verify_token(token): - return token - - raise forms.ValidationError(_("The entered token is not valid")) diff --git a/InvenTree/InvenTree/views.py b/InvenTree/InvenTree/views.py index f18bf73106..bdddfccf90 100644 --- a/InvenTree/InvenTree/views.py +++ b/InvenTree/InvenTree/views.py @@ -37,7 +37,7 @@ from common.settings import currency_code_default, currency_codes from part.models import PartCategory from users.models import RuleSet, check_user_role -from .forms import CustomTOTPDeviceRemoveForm, EditUserForm, SetPasswordForm +from .forms import EditUserForm, SetPasswordForm def auth_request(request): @@ -764,10 +764,8 @@ class NotificationsView(TemplateView): template_name = "InvenTree/notifications/notifications.html" -# Temporary fix for django-allauth-2fa # TODO remove -# See https://github.com/inventree/InvenTree/security/advisories/GHSA-8j76-mm54-52xq +# Custom 2FA removal form to allow custom redirect URL class CustomTwoFactorRemove(TwoFactorRemove): - """Use custom form.""" - form_class = CustomTOTPDeviceRemoveForm + """Specify custom URL redirect.""" success_url = reverse_lazy("settings") diff --git a/requirements.txt b/requirements.txt index 32cfc56fa2..c71de9e36d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -71,7 +71,7 @@ django-allauth==0.51.0 # via # -r requirements.in # django-allauth-2fa -django-allauth-2fa==0.9 +django-allauth-2fa==0.10.0 # via -r requirements.in django-cleanup==6.0.0 # via -r requirements.in