django-trench icon indicating copy to clipboard operation
django-trench copied to clipboard

Published 20 hours ago verified publisher icon merixstudio

Reactivating the primary disabled MFAMethod introduces an inconsistent state

Open andruten opened this issue 3 years ago • 1 comments

Hi! First of all, thank you for this awesome package!

Describe the bug Reactivating the disabled primary MFAMethod should maintain is_primary=True. This is not working as expected because this statement doesn't take into account if the primary method is the affected one in the process.

To Reproduce This is the full process for reproducing it.

Login

curl -X POST http://localhost:8000/auth/jwt/login/ -H  "Content-Type: application/json" -d '{"username": "admin", "password": "admin"}'
{"refresh":"...","access":"..."}

Activate app method

curl -X POST http://localhost:8000/auth/app/activate/ -H "Authorization: Bearer ..."
{"details":"otpauth://totp/MyApplication:admin?secret=HAA2VOHKZMJV6I6Y2JYX26OV7SMOULWO&issuer=MyApplication&period=600"}

Confirm app method


curl -X POST http://localhost:8000/auth/app/activate/confirm/ -H "Authorization: Bearer ..." -H  "Content-Type: application/json" -d '{"code": "231528"}'
{"backup_codes":["931780504135","028493362694","608422503394","034115886743","890942714207","867642128148","293494835872","567079811791"]}
Captura de Pantalla 2022-06-13 a las 8 57 29

Deactivate app method

curl -X POST http://localhost:8000/auth/app/deactivate/ -H "Authorization: Bearer ..." -H  "Content-Type: application/json" -d '{"code": "818437"}'
(no content)
Captura de Pantalla 2022-06-13 a las 8 58 38

Reactivate app method

curl -X POST http://localhost:8000/auth/app/activate/ -H "Authorization: Bearer ..." -H  "Content-Type: application/json"
{"details":"otpauth://totp/MyApplication:admin?secret=HAA2VOHKZMJV6I6Y2JYX26OV7SMOULWO&issuer=MyApplication"}

Reactivate app method confirm

curl -X POST http://localhost:8000/auth/app/activate/confirm/ -H "Authorization: Bearer ..." -H  "Content-Type: application/json" -d '{"code": "036716"}'
{"backup_codes":["684375266907","082071192573","288256663115","727551988514","106943114872","437314901576","714604541769","675806917849"]}
Captura de Pantalla 2022-06-13 a las 9 01 03

Expected behavior MFAMethod instance should keep is_primary=True and is_active=True but it doesn't.

I fixed this behavior annotating the primary method instead of using MFAUserMethodManager.primary_exists method.

I'll publish the fix in a PR.

andruten avatar Jun 13 '22 07:06 andruten

Is this library still active? How come this is still an open issue?

maxim25 avatar Sep 28 '22 10:09 maxim25

Fixed in: https://github.com/merixstudio/django-trench/pull/186

wmaciejewskimer avatar Nov 17 '22 11:11 wmaciejewskimer