Only require 2fa for admin urls?

[vdboor]

Would it make sense to only require 2fa for the pages where wagtail is mounted? E.g. everything below reverse('wagtailadmin_home') such as /cms/ and /admin/?

    def _require_verified_user(self, request):
        ...
        if settings.WAGTAIL_2FA_ONLY_URLS:
            # As safeguard, the wagtail+admin pages are always under 2fa,
            # otherwise there is a chance to circumvent 2fa for those URLs.
            admin_urls = settings.WAGTAIL_2FA_ONLY_URLS + [reverse('wagtailadmin_home')]
            try:
                admin_urls.append(reverse('admin:index'))
            except NoReverseMatch:
                pass
    
            if not any(request.path.startswith(url) for url in admin_urls):
                return False
    
        return True

Reason for using this:

• on the regular user pages, we'd like to use allauth-2fa to show a user-facing 2fa check.
• only on the wagtail and admin pages, the wagtail-2fa screen should popup.