-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of e.g. ServiceWorker makes login with 2FA impossible #113
Comments
Without digging in deeper, one simple solution/workaround that comes to mind would be to serve |
potential fix to valohai#113
Login also breaks if you happen to do any sort of request in between login and two-factor-authentication, e.g., pulling latest news for a sidebar widget via ajax etc. Therefore, I don't think the above mentioned approach solves this issue for good. I propose the solution in the pull request, which tries to remove
The only time an artifact of Please note: I just commented out the old tests. Before merging, the code should be cleaned up properly. Just let me know, if this approach is fine for you and I'll clean it up properly and update the docs. |
@simonkern I don't think the codebase maintainers are all that active about this project. I did ran into the same problem a while ago and this is what I did to work around it. |
Any chance of getting this or what @sabipu mentioned merged? |
When using a ServiceWorker, authentication with 2FA enabled is broken. Due to some limitations it is necessary to serve the workerscript from the root of the site. In case you run something like gunicorn behind a load balancer, you will most likely just save the worker script as a template file and serve it using a template view. However, combined with allauth_2fa this causes a problem that ultimately breaks authentication for all users that have 2FA enabled.
In the
OTPAdapter
(adapter.py line 22)user.id
gets stored within the session:request.session['allauth_2fa_user_id'] = str(user.id)
The presence of
allauth_2fa_user_id
in the session is then checked in theTwoFactorAuthenticate
view, (views.py line 34) . In case it's not present, the user will be redirected to the login view. Otherwise the user withallauth_2fa_user_id
will be put into kwargs and authentication will proceed.allauth_2fa_user_id
gets cleared from the session by means ofAllauthTwoFactorMiddleware
(middleware.py line 26).When you happen to use a service worker, what will very frequently happen is:
allauth_2fa_user_id
gets stored in the user's sessionallauth_2fa_user_id
from the user's session, because the condition in middleware.py evaluates to trueallauth_2fa_user_id
is already gone and user is redirected to the login pageThis szenario is not only limited to the usage ServiceWorkers, but is triggered everytime user makes (for whatever reason) a request between logging in and entering the 2FA token that causes the condition in the middleware to evaluate to true.
I am not sure what the best alternative solution is, or if there is any evil side effect, if we do not delete
allauth_2fa_user_id
at all. What do you guys suggest?The text was updated successfully, but these errors were encountered: