fix middleware to not interupt flow

InvenTree/InvenTree/middleware.py

@@ -8,7 +8,7 @@ import time
 import operator
 
 from rest_framework.authtoken.models import Token
-from allauth_2fa.middleware import BaseRequire2FAMiddleware
+from allauth_2fa.middleware import BaseRequire2FAMiddleware, AllauthTwoFactorMiddleware
 
 from InvenTree.urls import frontendpatterns
 
@@ -156,6 +156,7 @@ class QueryCountMiddleware(object):
 url_matcher = url('', include(frontendpatterns))
 
 class Check2FAMiddleware(BaseRequire2FAMiddleware):
+    """check if user is required to have MFA enabled"""
     def require_2fa(self, request):
         # Superusers are require to have 2FA.
         try:
@@ -164,3 +165,12 @@ class Check2FAMiddleware(BaseRequire2FAMiddleware):
         except Resolver404:
             pass
         return False
+
+class CustomAllauthTwoFactorMiddleware(AllauthTwoFactorMiddleware):
+    """This function ensures only frontend code triggers the MFA auth cycle"""
+    def process_request(self, request):
+        try:
+            if not url_matcher.resolve(request.path[1:]):
+                super().process_request(request)
+        except Resolver404:
+            pass

InvenTree/InvenTree/settings.py

@@ -301,7 +301,7 @@ MIDDLEWARE = CONFIG.get('middleware', [
     'corsheaders.middleware.CorsMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django_otp.middleware.OTPMiddleware',                      # MFA support
-    'allauth_2fa.middleware.AllauthTwoFactorMiddleware',        # Flow control for allauth
+    'InvenTree.middleware.CustomAllauthTwoFactorMiddleware',    # Flow control for allauth
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'InvenTree.middleware.AuthRequiredMiddleware',

InvenTree/InvenTree/urls.py

@@ -37,7 +37,7 @@ from rest_framework.documentation import include_docs_urls
 
 from .views import auth_request
 from .views import IndexView, SearchView, DatabaseStatsView
-from .views import SettingsView, EditUserView, SetPasswordView, CustomEmailView, CustomConnectionsView, CustomPasswordResetFromKeyView, CustomTwoFactorAuthenticate
+from .views import SettingsView, EditUserView, SetPasswordView, CustomEmailView, CustomConnectionsView, CustomPasswordResetFromKeyView
 from .views import CurrencyRefreshView
 from .views import AppearanceSelectView, SettingCategorySelectView
 from .views import DynamicJsView
@@ -168,7 +168,6 @@ frontendpatterns = [
     url(r'^accounts/email/', CustomEmailView.as_view(), name='account_email'),
     url(r'^accounts/social/connections/', CustomConnectionsView.as_view(), name='socialaccount_connections'),
     url(r"^accounts/password/reset/key/(?P<uidb36>[0-9A-Za-z]+)-(?P<key>.+)/$", CustomPasswordResetFromKeyView.as_view(), name="account_reset_password_from_key"),
-    url(r"^accounts/two-factor-authenticate/?$", CustomTwoFactorAuthenticate.as_view(), name="two-factor-authenticate"),
     url(r'^accounts/', include('allauth_2fa.urls')),    # MFA support
     url(r'^accounts/', include('allauth.urls')),        # included urlpatterns
 ]

InvenTree/InvenTree/views.py

@@ -858,13 +858,6 @@ class CustomPasswordResetFromKeyView(PasswordResetFromKeyView):
     success_url = reverse_lazy("account_login")
 
 
-class CustomTwoFactorAuthenticate(TwoFactorAuthenticate):
-    def dispatch(self, request, *args, **kwargs):
-        if 'allauth_2fa_user_id' not in request.session and 'otp_token' not in request.POST:
-            return redirect('account_login')
-        if hasattr(request.user, 'id'):
-            request.session['allauth_2fa_user_id'] = request.user.id
-        return super(FormView, self).dispatch(request, *args, **kwargs)
 
 class CurrencyRefreshView(RedirectView):
     """