From a8dfef5e52f6bb9f76c805ddbf7f9a6c97229cc0 Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Sun, 21 Jan 2024 15:24:43 +0100 Subject: [PATCH] remove allauth_2fa flows --- InvenTree/InvenTree/forms.py | 27 --------------------------- InvenTree/InvenTree/middleware.py | 30 +----------------------------- InvenTree/InvenTree/settings.py | 4 +--- InvenTree/InvenTree/urls.py | 1 - 4 files changed, 2 insertions(+), 60 deletions(-) diff --git a/InvenTree/InvenTree/forms.py b/InvenTree/InvenTree/forms.py index 6000a5e906..b767f45c52 100644 --- a/InvenTree/InvenTree/forms.py +++ b/InvenTree/InvenTree/forms.py @@ -1,7 +1,6 @@ """Helper forms which subclass Django forms to provide additional functionality.""" import logging -from urllib.parse import urlencode from django import forms from django.conf import settings @@ -13,10 +12,7 @@ from django.utils.translation import gettext_lazy as _ from allauth.account.adapter import DefaultAccountAdapter from allauth.account.forms import LoginForm, SignupForm, set_form_field_order -from allauth.core.exceptions import ImmediateHttpResponse from allauth.socialaccount.adapter import DefaultSocialAccountAdapter -from allauth_2fa.adapter import OTPAdapter -from allauth_2fa.utils import user_has_valid_totp_device from crispy_forms.bootstrap import AppendedText, PrependedAppendedText, PrependedText from crispy_forms.helper import FormHelper from crispy_forms.layout import Field, Layout @@ -336,29 +332,6 @@ class CustomSocialAccountAdapter( return super().is_auto_signup_allowed(request, sociallogin) return False - # from OTPAdapter - def has_2fa_enabled(self, user): - """Returns True if the user has 2FA configured.""" - return user_has_valid_totp_device(user) - - def login(self, request, user): - """Ensure user is send to 2FA before login if enabled.""" - # Require two-factor authentication if it has been configured. - if self.has_2fa_enabled(user): - # Cast to string for the case when this is not a JSON serializable - # object, e.g. a UUID. - request.session['allauth_2fa_user_id'] = str(user.id) - - redirect_url = reverse('two-factor-authenticate') - # Add GET parameters to the URL if they exist. - if request.GET: - redirect_url += '?' + urlencode(request.GET) - - raise ImmediateHttpResponse(response=HttpResponseRedirect(redirect_url)) - - # Otherwise defer to the original allauth adapter. - return super().login(request, user) - def authentication_error( self, request, provider_id, error=None, exception=None, extra_context=None ): diff --git a/InvenTree/InvenTree/middleware.py b/InvenTree/InvenTree/middleware.py index 79f51b7914..05f7f64667 100644 --- a/InvenTree/InvenTree/middleware.py +++ b/InvenTree/InvenTree/middleware.py @@ -7,9 +7,8 @@ from django.conf import settings from django.contrib.auth.middleware import PersistentRemoteUserMiddleware from django.http import HttpResponse from django.shortcuts import redirect -from django.urls import Resolver404, include, path, resolve, reverse_lazy +from django.urls import include, path, resolve, reverse_lazy -from allauth_2fa.middleware import AllauthTwoFactorMiddleware, BaseRequire2FAMiddleware from error_report.middleware import ExceptionProcessor from InvenTree.urls import frontendpatterns @@ -127,33 +126,6 @@ class AuthRequiredMiddleware(object): url_matcher = path('', include(frontendpatterns)) -class Check2FAMiddleware(BaseRequire2FAMiddleware): - """Check if user is required to have MFA enabled.""" - - def require_2fa(self, request): - """Use setting to check if MFA should be enforced for frontend page.""" - from common.models import InvenTreeSetting - - try: - if url_matcher.resolve(request.path[1:]): - return InvenTreeSetting.get_setting('LOGIN_ENFORCE_MFA') - except Resolver404: - pass - return False - - -class CustomAllauthTwoFactorMiddleware(AllauthTwoFactorMiddleware): - """This function ensures only frontend code triggers the MFA auth cycle.""" - - def process_request(self, request): - """Check if requested url is forntend and enforce MFA check.""" - try: - if not url_matcher.resolve(request.path[1:]): - super().process_request(request) - except Resolver404: - pass - - class InvenTreeRemoteUserMiddleware(PersistentRemoteUserMiddleware): """Middleware to check if HTTP-header based auth is enabled and to set it up.""" diff --git a/InvenTree/InvenTree/settings.py b/InvenTree/InvenTree/settings.py index f16ebaf6de..cb914cfd22 100644 --- a/InvenTree/InvenTree/settings.py +++ b/InvenTree/InvenTree/settings.py @@ -249,7 +249,7 @@ INSTALLED_APPS = [ 'django_otp', # OTP is needed for MFA - base package 'django_otp.plugins.otp_totp', # Time based OTP 'django_otp.plugins.otp_static', # Backup codes - 'allauth_2fa', # MFA flow for allauth + 'allauth.mfa', # MFA for for allauth 'dj_rest_auth', # Authentication APIs - dj-rest-auth 'dj_rest_auth.registration', # Registration APIs - dj-rest-auth' 'drf_spectacular', # API documentation @@ -269,12 +269,10 @@ MIDDLEWARE = CONFIG.get( 'django.contrib.auth.middleware.AuthenticationMiddleware', 'InvenTree.middleware.InvenTreeRemoteUserMiddleware', # Remote / proxy auth 'django_otp.middleware.OTPMiddleware', # MFA support - 'InvenTree.middleware.CustomAllauthTwoFactorMiddleware', # Flow control for allauth 'allauth.account.middleware.AccountMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'InvenTree.middleware.AuthRequiredMiddleware', - 'InvenTree.middleware.Check2FAMiddleware', # Check if the user should be forced to use MFA 'maintenance_mode.middleware.MaintenanceModeMiddleware', 'InvenTree.middleware.InvenTreeExceptionProcessor', # Error reporting ], diff --git a/InvenTree/InvenTree/urls.py b/InvenTree/InvenTree/urls.py index 547764cf5d..5111e4c67c 100644 --- a/InvenTree/InvenTree/urls.py +++ b/InvenTree/InvenTree/urls.py @@ -405,7 +405,6 @@ classic_frontendpatterns = [ ), # Override login page path('accounts/login/', CustomLoginView.as_view(), name='account_login'), - path('accounts/', include('allauth_2fa.urls')), # MFA support path('accounts/', include('allauth.urls')), # included urlpatterns ]