django-two-factor-auth
django-two-factor-auth copied to clipboard
jazzband
Bypass security token on debug
Hi, I have my web development server in which I work locally (192.168.0.4), I read the QR code and use the OTP without any problem However when I upload the server to another computer the tokens my mobile generates simply do not work, then I need to go to my local server, remove the MFA and enable again. Thing is the tokens do not work on two different servers although they use the same database and the OTP device is, therefore, the same.
My question is, can I use the debug mode of Django somehow to overcome the request of the security token when working locally and only ask for it on "production"? I do not intend to disable and enable the MFA of a user, I just want Django not to ask for the token on debug mode.
I have tried something like the following:
if settings.DEBUG:
request.user.is_verified = lambda: True
else:
request.user.is_verified = functools.partial(is_verified, user)
That works if the user has not enabled the MFA, but if it is already enabled when the user logs in Django asks for the token, can I overcome this somehow?
Thanks a lot for your help!
Where did you put this code? I see no reason why it shouldn't work.
Also, you might want to look into your servers clocks, OTP shouldn't care about being on the same server but it does care about time.
Where did you put this code? I see no reason why it shouldn't work.
I created a middleware function that handles where some requests should be redirected
MIDDLEWARE.append('myapp.apps.OTPEnforceMiddleware')
The thing I have seen this code does is, if the user has enabled the MFA it ask for the token anyway, however if the user has not enabled it but the page requires it he can see the page with no problem. My problem, what I need, is in debug mode I do not want a user that has enable MFA to be asked for the token, is it possible?
Also, you might want to look into your servers clocks, OTP shouldn't care about being on the same server but it does care about time.
Same code working on my computer, if I run it on port 8035 using python manage.py runserver
and use the QR obtained I can log without any problem, if I run the code same code on a docker container on another port it does not accept the verification token generated by the Google Authenticator.
They are the same computer, may it be a problem with clock there? If so, do you have any issue how to solve it?
Thanks a lot!
The thing I have seen this code does is, if the user has enabled the MFA it ask for the token anyway, however if the user has not enabled it but the page requires it he can see the page with no problem. My problem, what I need, is in debug mode I do not want a user that has enable MFA to be asked for the token, is it possible?
If I've understood you correctly, you just need to add the code from your earlier comment to your middleware.
Same code working on my computer, if I run it on port 8035 using python manage.py runserver and use the QR obtained I can log without any problem, if I run the code same code on a docker container on another port it does not accept the verification token generated by the Google Authenticator. They are the same computer, may it be a problem with clock there? If so, do you have any issue how to solve it?
OK, that doesn't sound like a clock issue then. As far as I understand, docker just uses the host clock. What happens if you run the docker container on port 8035 as you did with runserver?