django-two-factor-auth icon indicating copy to clipboard operation
django-two-factor-auth copied to clipboard

Published 20 hours ago verified publisher icon jazzband

Ability to change authentication method

Open lmignon opened this issue 5 years ago • 3 comments

Expected Behavior

Allow the user to change the authentication method from their profile page.

Current Behavior

Once a user has chosen an authentication method, it is not possible for the user to change the method.

lmignon avatar Mar 25 '20 13:03 lmignon

I am working on this issue and I am facing some questions about technical. My first idea was to jump into the wizard of setting double authentication directly 'at the right place' : i.e., if the user was previously using google authenticator, use the wizard (SetupView) from the 'sms' step and vice versa in the other case. However, to do so, I inherited from the SetupView and tried to extend the get to 'jump to the right place' (by using render_goto_step with the right step set in). Doing so, I got stuck because the steps of the wizard are defined in the form_dict and you have to go through them (cannot skip a step, at least I didn't see how to). So, if I previously was on the step 'sms', and now want to use the google authenticator, I manage to jump in the wizard at the token step with the QR code but then, next step is phone number and I have to through this one too.

So, from here, I digged a little bit into the code and I though of 2 ways to come around this issue:

  • implement a "skip_step" method that would take the steps to skip in the wizard. This would somehow hide some HTML content based on keywords or something like that. But then, I am not sure how to use this by extending the current SetupView (would have to find a way to let django know that I am actually coming from a reset process of the double authentication method and not from the first time I am allowing it)
  • split the existing setup wizard into 2 sub-wizards : one for google authenticator, the other one for the phone method. This would split the logic of the 2 methods (which I think is always a good thing). In this cas, when I want to change the method, I call one wizard, or the other, depending on the current method. And if its the first time I enable double authentication, the 2 sub-wizards are somehow merged together to retrieve the current SetupView (this part is still not clear for me, I don't know how to use 2 form_list basically into one wizard). This last point will, I think need a part of refactoring which is not a small one.

Any advice/ suggestion/ way to proceed about this would be of great help

Thanks a lot!

lmarion-source avatar Aug 19 '20 13:08 lmarion-source

I think you're going to make things too complicated for yourself. We already have a separate view for setting up backup phones, so why not a separate view for changing methods?

moggers87 avatar Aug 19 '20 14:08 moggers87

I was thinking of a separate view for changing methods but basically I will have to re-use the wizard to through the steps for qr code generation then token confirmation or phone number and confirmation. In order to no duplicate the code for this I was thinking of re-using the setupview with some modifications. But I don't know, maybe there is a better idea than this

lmarion-source avatar Aug 19 '20 14:08 lmarion-source