fix middleware to not interupt flow

This commit is contained in:
Matthias 2021-10-31 13:42:27 +01:00
parent eaf1a4baec
commit dd74cf19a7
No known key found for this signature in database
GPG Key ID: F50EF5741D33E076
4 changed files with 13 additions and 11 deletions

View File

@ -8,7 +8,7 @@ import time
import operator
from rest_framework.authtoken.models import Token
from allauth_2fa.middleware import BaseRequire2FAMiddleware
from allauth_2fa.middleware import BaseRequire2FAMiddleware, AllauthTwoFactorMiddleware
from InvenTree.urls import frontendpatterns
@ -156,6 +156,7 @@ class QueryCountMiddleware(object):
url_matcher = url('', include(frontendpatterns))
class Check2FAMiddleware(BaseRequire2FAMiddleware):
"""check if user is required to have MFA enabled"""
def require_2fa(self, request):
# Superusers are require to have 2FA.
try:
@ -164,3 +165,12 @@ class Check2FAMiddleware(BaseRequire2FAMiddleware):
except Resolver404:
pass
return False
class CustomAllauthTwoFactorMiddleware(AllauthTwoFactorMiddleware):
"""This function ensures only frontend code triggers the MFA auth cycle"""
def process_request(self, request):
try:
if not url_matcher.resolve(request.path[1:]):
super().process_request(request)
except Resolver404:
pass

View File

@ -301,7 +301,7 @@ MIDDLEWARE = CONFIG.get('middleware', [
'corsheaders.middleware.CorsMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django_otp.middleware.OTPMiddleware', # MFA support
'allauth_2fa.middleware.AllauthTwoFactorMiddleware', # Flow control for allauth
'InvenTree.middleware.CustomAllauthTwoFactorMiddleware', # Flow control for allauth
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'InvenTree.middleware.AuthRequiredMiddleware',

View File

@ -37,7 +37,7 @@ from rest_framework.documentation import include_docs_urls
from .views import auth_request
from .views import IndexView, SearchView, DatabaseStatsView
from .views import SettingsView, EditUserView, SetPasswordView, CustomEmailView, CustomConnectionsView, CustomPasswordResetFromKeyView, CustomTwoFactorAuthenticate
from .views import SettingsView, EditUserView, SetPasswordView, CustomEmailView, CustomConnectionsView, CustomPasswordResetFromKeyView
from .views import CurrencyRefreshView
from .views import AppearanceSelectView, SettingCategorySelectView
from .views import DynamicJsView
@ -168,7 +168,6 @@ frontendpatterns = [
url(r'^accounts/email/', CustomEmailView.as_view(), name='account_email'),
url(r'^accounts/social/connections/', CustomConnectionsView.as_view(), name='socialaccount_connections'),
url(r"^accounts/password/reset/key/(?P<uidb36>[0-9A-Za-z]+)-(?P<key>.+)/$", CustomPasswordResetFromKeyView.as_view(), name="account_reset_password_from_key"),
url(r"^accounts/two-factor-authenticate/?$", CustomTwoFactorAuthenticate.as_view(), name="two-factor-authenticate"),
url(r'^accounts/', include('allauth_2fa.urls')), # MFA support
url(r'^accounts/', include('allauth.urls')), # included urlpatterns
]

View File

@ -858,13 +858,6 @@ class CustomPasswordResetFromKeyView(PasswordResetFromKeyView):
success_url = reverse_lazy("account_login")
class CustomTwoFactorAuthenticate(TwoFactorAuthenticate):
def dispatch(self, request, *args, **kwargs):
if 'allauth_2fa_user_id' not in request.session and 'otp_token' not in request.POST:
return redirect('account_login')
if hasattr(request.user, 'id'):
request.session['allauth_2fa_user_id'] = request.user.id
return super(FormView, self).dispatch(request, *args, **kwargs)
class CurrencyRefreshView(RedirectView):
"""