django-two-factor-auth
django-two-factor-auth copied to clipboard
django_otp throttling feature
This has now been released, but it introduces a few issues:
- It breaks one of our tests (easy enough to fix)
- We should probably write other tests to cover these changes and make sure nothing unexpected is happening
- Error messages don't make it to the user, currently they will just get a generic "invalid token" error
Luke Plant (the person who wrote this feature/security fix for django_otp) also mentioned that we will throttle not-selected devices due to the way our authentication form works. The form ends up calling this util function, which is called because we can't tell OTPAuthenticationFormMixin
which device the user has selected (we only know the token they're trying to use)
All the problems listed here have been fixed for a long time, closing.