django-two-factor-auth icon indicating copy to clipboard operation
django-two-factor-auth copied to clipboard

Published 20 hours ago verified publisher icon jazzband

`addstatictoken` from Django-OTP doesn't always work with BackupView etc.

Open moggers87 opened this issue 8 years ago • 4 comments

This is partly a bug with Django-OTP. See this PR

If the specified user has already generated backup tokens (and thus has a StaticDevice), then addstatictoken will behave as expected - the user gets a new backup token.

However, if the user didn't previously, the command will create a StaticDevice with the name "Backup Code". Django Two-Factor Authentication has the name "backup" hardcoded into all its views and so never sees the newly created token.

tl;dr: D2FA and Django-OTP have hardcoded different names for backup tokens.

moggers87 avatar Mar 27 '16 15:03 moggers87

Having thought about this some more, I'm wondering why D2FA views only look for a single StaticDevice - is there actually a use-case where a user would have backup and not-backup tokens?

moggers87 avatar Mar 28 '16 13:03 moggers87

The name field of django_otp.models.Device is documented as "A human-readable name to help the user identify their devices." It's really not intended to identify specific devices in the database. If D2FA would like to manage specific devices, my recommendation would be to create a model that holds foreign keys to those devices.

Ideally, addstatictoken should probably fail if there's no StaticDevice, perhaps with a flag to enable the current auto-create behavior. This is really just meant to help with bootstrapping a development environment or something.

Either way, if D2FA wants to be in a position for addstatictoken to always do the right thing, that probably means ensuring that every user always has a StaticDevice, even if it has no tokens. Alternatively, it could provide its own management command for this kind of thing.

psagers avatar Mar 28 '16 17:03 psagers

Good thoughts @psagers, that sounds like good improvements. Thanks for the advice on how to improve this package.

Bouke avatar Apr 05 '16 19:04 Bouke

@moggers87

Having thought about this some more, I'm wondering why D2FA views only look for a single StaticDevice - is there actually a use-case where a user would have backup and not-backup tokens?

I'm not saying it's a good idea and I'm not suggesting we should support it, but a lot a banks still provide printed TAN lists to use for e.g. online banking. These codes are static 2FA codes but are not backup codes in case you loose a device, afaict.

MarkusH avatar Jul 10 '16 12:07 MarkusH