-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(mfa): Add totp_url to headless mfa activate response data #3884
base: main
Are you sure you want to change the base?
refactor(mfa): Add totp_url to headless mfa activate response data #3884
Conversation
f590d46
to
8919dd7
Compare
@@ -44,14 +45,21 @@ def get(self, request, *args, **kwargs): | |||
return response.AuthenticatorsResponse(request, authenticators) | |||
|
|||
|
|||
# TODO: Enforce reauthentication |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pennersr BTW, I noticed that in headless mode, enabling MFA does not explicitly check the user has authenticated recently. Is that done intentionally? Is the idea that headless allauth applications should enforce that via a separate API call, i.e. to headless:browser:mfa:reauthenticate
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When activating TOTP, headless invokes flows.totp.activate_totp()
, which has raise_if_reauthentication_required(request)
. Deleting TOTP, viewing and regenerating recovery codes is handled similarly. Doesn't that cover this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm I will play around and confirm!
8919dd7
to
46f80de
Compare
46f80de
to
b55497d
Compare
c603c19
to
c005a69
Compare
@pennersr this one ready to go now I think! 🙏 |
totp_url: | ||
type: string | ||
description: | | ||
URL-encoded QR code containing the TOTP secret and other metadata to be scanned by OTP clients. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This description seems off -- it is not a QR code right, nor is it URL encoded. It's just a URL/URI , from which the QR code could be generated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want to link to e.g. https://datatracker.ietf.org/doc/draft-linuxgemini-otpauth-uri/
c005a69
to
f7d091a
Compare
f7d091a
to
d83533d
Compare
NOW it should be ready 😆 |
Description
Adds
totp_url
toallauth.headless.mfa.response.TOTPNotFoundResponse
. The rationale is so that we get a ready-to-render TOTP URI for our frontend and I don't have to re-implement any of theallauth.mfa.views.ActivateTOTPView.get_context_data
logic in my application or elsewhere/some other way.Submitting Pull Requests
General
Examples:
"fix(google): Fixed foobar bug"
,"feat(accounts): Added foobar feature"
.ChangeLog.rst
.AUTHORS
.