Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only validate token against chosen device 2 (#473) #683

Merged
merged 1 commit into from
Jan 24, 2024
Merged

Only validate token against chosen device 2 (#473) #683

merged 1 commit into from
Jan 24, 2024

Conversation

PetrDlouhy
Copy link
Contributor

This is rebase of #521 to the current master branch.

Please follow the description at #521

@PetrDlouhy PetrDlouhy mentioned this pull request Dec 13, 2023
Closed
@PetrDlouhy
Copy link
Contributor Author

The tests are not passing because of #684

@codecov Codecov
Copy link

codecov bot commented Dec 18, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (9159d1c) 95.52% compared to head (b805807) 95.57%.
Report is 4 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #683      +/-   ##
==========================================
+ Coverage   95.52%   95.57%   +0.04%     
==========================================
  Files          78       78              
  Lines        3354     3389      +35     
  Branches      377      377              
==========================================
+ Hits         3204     3239      +35     
  Misses        119      119              
  Partials       31       31

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@PetrDlouhy PetrDlouhy force-pushed the validate_token branch 2 times, most recently from 2c54cf9 to ffa1633 Compare December 21, 2023 15:16
@PetrDlouhy PetrDlouhy mentioned this pull request Dec 21, 2023
Closed
8 tasks
claudep
claudep reviewed Dec 21, 2023
View reviewed changes
two_factor/forms.py Outdated
@@ -115,6 +116,7 @@ class AuthenticationTokenForm(OTPAuthenticationFormMixin, forms.Form):
'pattern': '[0-9]*', # hint to show numeric keyboard for on-screen keyboards
'autocomplete': 'one-time-code',
})
device_id = forms.CharField(widget=forms.HiddenInput(), required=False)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see why we need this device_id hidden field, if the user has no way to change it anyway. Couldn't we return initial_device from _chosen_device?

two_factor/forms.py Outdated
if self.device_cache:
return self.device_cache
else:
return self.initial_device
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we skip calling the parent method, we should at least redo the security check done in django_otp parent method.

@PetrDlouhy PetrDlouhy force-pushed the validate_token branch 2 times, most recently from ce9496a to 6b65936 Compare January 24, 2024 08:22
@PetrDlouhy
Copy link
Contributor Author

@claudep Thank you for your comments. I had to investigate this much deeper and I found that the issue #473 might be already resolved by 8deb380

The test from the original PR is passing in current master and I added one more test to ensure that the throttling will work correctly in the future.

Would you be OK with merging just those tests?

@claudep
Copy link
Contributor

claudep commented Jan 24, 2024

Absolutely, and thanks a ton for these investigations 😍

@claudep claudep merged commit 5afb11e into jazzband:master Jan 24, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@claudep claudep claudep approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@PetrDlouhy @claudep @Gautier