Remove custom 2FA code (#3300)

* Update django-allauth-2fa to latest version

* Remove custom view / form for removing token

* Revert "2FA disable" view to custom view

- Allows specification of custom redirect URL
This commit is contained in:
Oliver 2022-07-11 10:26:41 +10:00 committed by GitHub
parent 7376e34505
commit 67732f8f81
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 4 additions and 40 deletions

View File

@ -15,7 +15,6 @@ from allauth.account.forms import SignupForm, set_form_field_order
from allauth.exceptions import ImmediateHttpResponse
from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
from allauth_2fa.adapter import OTPAdapter
from allauth_2fa.forms import TOTPDeviceRemoveForm
from allauth_2fa.utils import user_has_valid_totp_device
from crispy_forms.bootstrap import (AppendedText, PrependedAppendedText,
PrependedText)
@ -270,36 +269,3 @@ class CustomSocialAccountAdapter(RegistratonMixin, DefaultSocialAccountAdapter):
# Otherwise defer to the original allauth adapter.
return super().login(request, user)
# Temporary fix for django-allauth-2fa # TODO remove
# See https://github.com/inventree/InvenTree/security/advisories/GHSA-8j76-mm54-52xq
class CustomTOTPDeviceRemoveForm(TOTPDeviceRemoveForm):
"""Custom Form to ensure a token is provided before removing MFA"""
# User must input a valid token so 2FA can be removed
token = forms.CharField(
label=_('Token'),
)
def __init__(self, user, **kwargs):
"""Add token field."""
super().__init__(user, **kwargs)
self.fields['token'].widget.attrs.update(
{
'autofocus': 'autofocus',
'autocomplete': 'off',
}
)
def clean_token(self):
"""Ensure at least one valid token is provided."""
# Ensure that the user has provided a valid token
token = self.cleaned_data.get('token')
# Verify that the user has provided a valid token
for device in self.user.totpdevice_set.filter(confirmed=True):
if device.verify_token(token):
return token
raise forms.ValidationError(_("The entered token is not valid"))

View File

@ -37,7 +37,7 @@ from common.settings import currency_code_default, currency_codes
from part.models import PartCategory
from users.models import RuleSet, check_user_role
from .forms import CustomTOTPDeviceRemoveForm, EditUserForm, SetPasswordForm
from .forms import EditUserForm, SetPasswordForm
def auth_request(request):
@ -764,10 +764,8 @@ class NotificationsView(TemplateView):
template_name = "InvenTree/notifications/notifications.html"
# Temporary fix for django-allauth-2fa # TODO remove
# See https://github.com/inventree/InvenTree/security/advisories/GHSA-8j76-mm54-52xq
# Custom 2FA removal form to allow custom redirect URL
class CustomTwoFactorRemove(TwoFactorRemove):
"""Use custom form."""
form_class = CustomTOTPDeviceRemoveForm
"""Specify custom URL redirect."""
success_url = reverse_lazy("settings")

View File

@ -71,7 +71,7 @@ django-allauth==0.51.0
# via
# -r requirements.in
# django-allauth-2fa
django-allauth-2fa==0.9
django-allauth-2fa==0.10.0
# via -r requirements.in
django-cleanup==6.0.0
# via -r requirements.in