Only validate token against chosen device (#473)

[Gautier]

Description

Changes the AuthenticationTokenForm to only validate a token against the chosen device.

The first version of this PR only includes a failing test to demonstrate the problem and the second version is a suggestion on how to fix it.

Motivation and Context

I received the same error report as #473 for one of my system using django-two-factor-auth and noticed the backup tokens throttling_failure_count were being incremented even though the phone TOTP worked.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project. (no black?)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

[moggers87]

Just some comments/questions after a quick read through

[moggers87]

This method doesn't appear to be called by anything, what's it for?

[Gautier]

_chosen_device is the method called by the OTPTokenForm._clean_otp method in django-otp.

It currently returns None which makes django-otp try to match the token against each user's devices in order until one works (in match_token) but since match_token uses devices_for_token which iterates over the devices that way for model in device_classes(): there is no guarantee that it won't try the backup devices first.

I have added more details in my comment at the related issue at : #473 (comment) under the heading "Full investigation".

[moggers87]

Given that we know the device ID, couldn't we just fetch it directly rather than iterating over all devices like this?

[Gautier]

Good point, I have updated the PR to use Device.from_persistent_id instead.

[moggers87]

Not sure I understand this new comment

[Gautier]

I have updated the comment to include the crucial missing word "or" in "default device or a backup device"

[milafrerichs]

Any updates on this? We ran into this issue as well. Would be great to have a fix on the main package.
Can I help in any way?

[PetrDlouhy]

@moggers87 @Gautier What is state of this PR? Could I help somehow?

[claudep]

Rebasing looks like the next step, then @PetrDlouhy, your review would be welcome, too!

[PetrDlouhy]

@claudep I have rebased this in PR #683, all tests are passing now.

[PetrDlouhy]

I have tried to rebase this in #683, but I am not able to resolve the review comments there without much deeper investigation.

@Gautier Would you be able to look at it?
I am a bit confused, because I tried to run the tests.test_views_login.LoginTest.test_totp_token_does_not_impact_backup_token test with the unfixed forms.py code and it seems to pass.

I will try to give it more time, but it would save me some nerves if you could look at it.

[PetrDlouhy]

I did investigate it a bit more and I realized that in the new version of django-two-factor-auth there is AuthenticationTokenForm._chosen_device() newly implemented.
I am not yet sure if that is enough to fix #473 or there is some case in which it could still fail.

[PetrDlouhy]

The relevant test from this PR is merged now and is passing because of other fixes in the current branch.

Other changes included in this PR are probably not needed and if they are, they would need a clear test case first.
I am closing this, open new PR in such cases.