django-two-factor-auth
django-two-factor-auth copied to clipboard
`addstatictoken` from Django-OTP doesn't always work with BackupView etc.
This is partly a bug with Django-OTP. See this PR
If the specified user has already generated backup tokens (and thus has a StaticDevice), then addstatictoken
will behave as expected - the user gets a new backup token.
However, if the user didn't previously, the command will create a StaticDevice with the name "Backup Code". Django Two-Factor Authentication has the name "backup" hardcoded into all its views and so never sees the newly created token.
tl;dr: D2FA and Django-OTP have hardcoded different names for backup tokens.
Having thought about this some more, I'm wondering why D2FA views only look for a single StaticDevice - is there actually a use-case where a user would have backup and not-backup tokens?
The name field of django_otp.models.Device
is documented as "A human-readable name to help the user identify their devices." It's really not intended to identify specific devices in the database. If D2FA would like to manage specific devices, my recommendation would be to create a model that holds foreign keys to those devices.
Ideally, addstatictoken
should probably fail if there's no StaticDevice
, perhaps with a flag to enable the current auto-create behavior. This is really just meant to help with bootstrapping a development environment or something.
Either way, if D2FA wants to be in a position for addstatictoken
to always do the right thing, that probably means ensuring that every user always has a StaticDevice
, even if it has no tokens. Alternatively, it could provide its own management command for this kind of thing.
Good thoughts @psagers, that sounds like good improvements. Thanks for the advice on how to improve this package.
@moggers87
Having thought about this some more, I'm wondering why D2FA views only look for a single StaticDevice - is there actually a use-case where a user would have backup and not-backup tokens?
I'm not saying it's a good idea and I'm not suggesting we should support it, but a lot a banks still provide printed TAN lists to use for e.g. online banking. These codes are static 2FA codes but are not backup codes in case you loose a device, afaict.