django-two-factor-auth icon indicating copy to clipboard operation
django-two-factor-auth copied to clipboard

Published 20 hours ago verified publisher icon jazzband

django_otp throttling feature

Open moggers87 opened this issue 5 years ago • 1 comments

This has now been released, but it introduces a few issues:

  1. It breaks one of our tests (easy enough to fix)
  2. We should probably write other tests to cover these changes and make sure nothing unexpected is happening
  3. Error messages don't make it to the user, currently they will just get a generic "invalid token" error

moggers87 avatar Apr 24 '19 21:04 moggers87

Luke Plant (the person who wrote this feature/security fix for django_otp) also mentioned that we will throttle not-selected devices due to the way our authentication form works. The form ends up calling this util function, which is called because we can't tell OTPAuthenticationFormMixin which device the user has selected (we only know the token they're trying to use)

moggers87 avatar Apr 24 '19 21:04 moggers87

All the problems listed here have been fixed for a long time, closing.

moggers87 avatar Feb 26 '24 03:02 moggers87