From dd74cf19a7461e59a38a44cbcf50ad3b7d105c2c Mon Sep 17 00:00:00 2001 From: Matthias Date: Sun, 31 Oct 2021 13:42:27 +0100 Subject: [PATCH] fix middleware to not interupt flow --- InvenTree/InvenTree/middleware.py | 12 +++++++++++- InvenTree/InvenTree/settings.py | 2 +- InvenTree/InvenTree/urls.py | 3 +-- InvenTree/InvenTree/views.py | 7 ------- 4 files changed, 13 insertions(+), 11 deletions(-) diff --git a/InvenTree/InvenTree/middleware.py b/InvenTree/InvenTree/middleware.py index 089c178d9f..3480ef0dbb 100644 --- a/InvenTree/InvenTree/middleware.py +++ b/InvenTree/InvenTree/middleware.py @@ -8,7 +8,7 @@ import time import operator from rest_framework.authtoken.models import Token -from allauth_2fa.middleware import BaseRequire2FAMiddleware +from allauth_2fa.middleware import BaseRequire2FAMiddleware, AllauthTwoFactorMiddleware from InvenTree.urls import frontendpatterns @@ -156,6 +156,7 @@ class QueryCountMiddleware(object): url_matcher = url('', include(frontendpatterns)) class Check2FAMiddleware(BaseRequire2FAMiddleware): + """check if user is required to have MFA enabled""" def require_2fa(self, request): # Superusers are require to have 2FA. try: @@ -164,3 +165,12 @@ class Check2FAMiddleware(BaseRequire2FAMiddleware): except Resolver404: pass return False + +class CustomAllauthTwoFactorMiddleware(AllauthTwoFactorMiddleware): + """This function ensures only frontend code triggers the MFA auth cycle""" + def process_request(self, request): + try: + if not url_matcher.resolve(request.path[1:]): + super().process_request(request) + except Resolver404: + pass diff --git a/InvenTree/InvenTree/settings.py b/InvenTree/InvenTree/settings.py index 1985ecce65..208af3eb1a 100644 --- a/InvenTree/InvenTree/settings.py +++ b/InvenTree/InvenTree/settings.py @@ -301,7 +301,7 @@ MIDDLEWARE = CONFIG.get('middleware', [ 'corsheaders.middleware.CorsMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django_otp.middleware.OTPMiddleware', # MFA support - 'allauth_2fa.middleware.AllauthTwoFactorMiddleware', # Flow control for allauth + 'InvenTree.middleware.CustomAllauthTwoFactorMiddleware', # Flow control for allauth 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'InvenTree.middleware.AuthRequiredMiddleware', diff --git a/InvenTree/InvenTree/urls.py b/InvenTree/InvenTree/urls.py index 01baa20e03..0f4e20a9b0 100644 --- a/InvenTree/InvenTree/urls.py +++ b/InvenTree/InvenTree/urls.py @@ -37,7 +37,7 @@ from rest_framework.documentation import include_docs_urls from .views import auth_request from .views import IndexView, SearchView, DatabaseStatsView -from .views import SettingsView, EditUserView, SetPasswordView, CustomEmailView, CustomConnectionsView, CustomPasswordResetFromKeyView, CustomTwoFactorAuthenticate +from .views import SettingsView, EditUserView, SetPasswordView, CustomEmailView, CustomConnectionsView, CustomPasswordResetFromKeyView from .views import CurrencyRefreshView from .views import AppearanceSelectView, SettingCategorySelectView from .views import DynamicJsView @@ -168,7 +168,6 @@ frontendpatterns = [ url(r'^accounts/email/', CustomEmailView.as_view(), name='account_email'), url(r'^accounts/social/connections/', CustomConnectionsView.as_view(), name='socialaccount_connections'), url(r"^accounts/password/reset/key/(?P[0-9A-Za-z]+)-(?P.+)/$", CustomPasswordResetFromKeyView.as_view(), name="account_reset_password_from_key"), - url(r"^accounts/two-factor-authenticate/?$", CustomTwoFactorAuthenticate.as_view(), name="two-factor-authenticate"), url(r'^accounts/', include('allauth_2fa.urls')), # MFA support url(r'^accounts/', include('allauth.urls')), # included urlpatterns ] diff --git a/InvenTree/InvenTree/views.py b/InvenTree/InvenTree/views.py index d1d3ca7436..242b2b5e9a 100644 --- a/InvenTree/InvenTree/views.py +++ b/InvenTree/InvenTree/views.py @@ -858,13 +858,6 @@ class CustomPasswordResetFromKeyView(PasswordResetFromKeyView): success_url = reverse_lazy("account_login") -class CustomTwoFactorAuthenticate(TwoFactorAuthenticate): - def dispatch(self, request, *args, **kwargs): - if 'allauth_2fa_user_id' not in request.session and 'otp_token' not in request.POST: - return redirect('account_login') - if hasattr(request.user, 'id'): - request.session['allauth_2fa_user_id'] = request.user.id - return super(FormView, self).dispatch(request, *args, **kwargs) class CurrencyRefreshView(RedirectView): """