Comments (6)
pennersr
commented on August 17, 2024
Is the user supposed to be anonymous?
Yes. If you have not passed all checks (email verification if mandatory, 2FA if enabled, ...) request.user remains an anonymous user. That is done intentionally -- it would be really insecure if that would not be the case, as any third-party code typically checks for request.user.is_authenticated and assumes that is sufficient, which is not the case.
I must admit, I don't fully understand what you are trying to accomplish:
set a timeout between initial login and mfa
This is not clear to me.
from django-allauth.
half-of-a-glazier
commented on August 17, 2024
When the mfa form is filled out it should check how long ago the login form was submitted. If it's longer than x seconds, it should timeout and restart the login process.
from django-allauth.
pennersr
commented on August 17, 2024
What's the difference with what you are aiming for, versus what settings.ACCOUNT_REAUTHENTICATION_TIMEOUT is already doing?
from django-allauth.
half-of-a-glazier
commented on August 17, 2024
ACCOUNT_REAUTHENTICATION_TIMEOUT (default: 300)
Before asking the user to reauthenticate, we check if a successful (re)authentication happened within the amount of seconds specified here, and if that is the case, the new reauthentication flow is silently skipped.
This is what should happen:
- User is logged out
- User submits the login form with username/password and is redirected to mfa form
- User waits 5 minutes
- User submits mfa form
- Since 5 minutes is longer than the mfa-timeout limit, user is redirected to login stage 1.
settings.ACCOUNT_REAUTHENTICATION_TIMEOUT doesn't enforce this timeout because the user hasn't completed a successful authentication yet.
from django-allauth.
pennersr
commented on August 17, 2024
I see. In that case:
This function in allauth.account.reauthentication that looks like it's intended for this:
It's not -- the user did not (fully) authenticate yet, so reauthentication is not applicable. In order to support this, I think a general mechanism is needed to add timeouts to class LoginStage.
from django-allauth.
pennersr
commented on August 17, 2024
Logins now have a time out, see: 63bc165
from django-allauth.
Related Issues (20)
- Feature request: MFA remember device key
- Django-allauth views not compatible with Django 5.1 LoginRequiredMiddleware HOT 6
- Deprecated use of `webauthn_json_mapping` HOT 5
- Release tag format changed HOT 2
- Email verification when a different user is already logged in - headless HOT 3
- Feature Request: dynamically configurable activate_url with registration HOT 5
- Adopt Semvar HOT 4
- [headless.account.views.LoginView] Prevent login while logged in? HOT 2
- httpkit serialize/deserialize does not preserve `is_secure()`, preventing SAML login HOT 2
- [Password Reset] Prevent reset requests for "social only" users HOT 2
- Google auth not working on development environment
- [Headless MFA Deactivation] Always require reauthentication HOT 2
- Bearer Token fails to authenticate django rest api endpoints HOT 2
- [Headless Reauth] "Needs to reauthenticate" view? HOT 1
- Impossible to save Twitter OAuth1.0a token HOT 2
- Cannot override headless inputs HOT 11
- Determining minimal content for password reset email template including {{ password_reset_url }}
- allauth.account.middleware.AccountMiddleware breaks ASGI application HOT 1
- [Bug] bound_field attributes such as Tabindex, autocomplete are not available in fields.html HOT 7
- Headless Social account Google OAuth fails with error unknown
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-allauth.