django-two-factor-auth
django-two-factor-auth copied to clipboard
Views that require new OTP authentication for every POST action
I would like to increase security of some views such as submitting payouts, handling money or other potentially risky tasks. To increase the security I would like to let the user re-submit his/hers OTP once again for every POST action.
Expected Behavior
The scenario when this might help is such that the user leaves his/hers computer with session already authenticated and goes off. The some other person can come in and for example steal all money from his/hers account.
Current Behavior
In current logic of django-two-factor-auth
it is also possible to disable 2FA without any additional authentication and set a new one.
It would be needed to require secondary 2FA also for /account/two_factor/disable/
view in order to make this protection effective.
Possible Solution
The described scenario could be prevented if the user re-submits OTP code before/during the making POST request to the security demanding view.
The second possibility how to implement this might be to modify the @otp_required/OTPRequiredMixin decorator/mixin with requirement for maximal age of the authentication. So for example I could decorate the risky view with:
from django_otp.decorators import otp_required
@otp_required(max_age=5) # 5 seconds
def my_view(request):
pass