RequiredTwoFactor Middleware Setup Not Working

[roddajohn]

Hi,

I have a custom Middleware (source below) that should link whether two factor is required to a user model field. This is working and correctly determining when two factor should be required, and when not.

However, when a user for whom two factor is required logins, and is (correctly) redirected to the setup two factor page, the token is always coming back invalid. If a user doesn't have two factor required but setups up the two factor, the token works just fine.

Any ideas?

users.middleware.RequireTwoFactorRequiredMiddleware

from allauth_2fa.middleware import BaseRequire2FAMiddleware                                               
                                                                                                          
                                                                                                          
class RequireTwoFactorRequiredMiddleware(BaseRequire2FAMiddleware):                                       
    def require_2fa(self, request):                                                                       
        return request.user.two_factor_required

Middleware ordering:

'django_otp.middleware.OTPMiddleware',
'allauth_2fa.middleware.AllauthTwoFactorMiddleware',
'users.middleware.RequireTwoFactorRequiredMiddleware'

[clokep]

redirected to the setup two factor page, the token is always coming back invalid. If a user doesn't have two factor required but setups up the two factor, the token works just fine.

I'm not really sure what you mean here. Do you mean they end up at the setup two-factor page (the page that shows the QR code), but when submitting it the token is rejected?

The code should be identical in both cases so I'm not sure why that would be happening. Is there a more specific error than "invalid"?

[roddajohn]

Yes, there are two cases:

• User has two factor required, but not setup. When they login they are directed to setup two factor, I scan the QR code and enter the token -- I get the form validation error indicating the token is invalid
• User does not have two factor required, and also not setup. When they setup two factor, it works fine.

Yeah that was my first glance too -- that the code is identical -- the error I'm seeing is the front end form validation error thrown when the token is invalid, found in allauth_2fa/forms.py

[roddajohn]

How would I get a more detailed error? Can I uncover the underlying reason why the token is invalid?

[clokep]

The corresponding code is in https://github.com/percipient/django-allauth-2fa/blob/f2a2e77dcc93facd5885903acddfd23af3e53b99/allauth_2fa/forms.py#L41-L49

Does the user have multiple unconfirmed devices for some reason? Could be worth sub-classing that and poking a bit at the devices and such.

[roddajohn]

The user has 1 unconfirmed device -- just ran the query and played around with it a little bit, seems that I can't delete the one device (it's unconfirmed).

Some other issues I came across perhaps indicated that the issue had to do with throttling and some redirects (like static pages) also throwing the two factor required. I disabled throttling and can still experience the issue -- seems very odd.

[simonkern]

I can redproduce this issue on my installation

[simonkern]

@roddajohn Any chance you are running sth similar to #113? In case there is a second request that also gets redirected to the setup 2fa page, it might overwrite the unconfirmed key of your first request, which would then make it impossible to activate 2fa.