django-multifactor icon indicating copy to clipboard operation
django-multifactor copied to clipboard
verified publisher icon oliwarner

Improper comparison between RP ID and self.request.get_host()

Open lamaral opened this issue 2 years ago • 1 comments

While testing django-multifactor in my dev environment, I ran into an issue where after registering a YubiKey, I wasn't able to open the /accounts/mfa URL anymore. When trying to open it, it would go into a redirection loop between /accounts/mfa/authenticate/ and /accounts/mfa/add/.

Upon investigation, I narrowed it down to line 133 on the Authenticate view. There, self.request.get_host() is called and compared to the domain registered with the 2nd factor. The domain in that case, would be the RP ID, which doesn't include a port. On my local environment, self.request.get_host() returns hostname:8000, causing the comparison to fail and because there are no methods available, the check on line 138 redirects to the add view.

I quickly patched line 133 to read if domain != self.request.get_host().split(':')[0]: and that solved the issue for me, but I haven't done further testing to see if something else is affected.

lamaral avatar Dec 03 '23 18:12 lamaral

@oliwarner does v0.7 resolve this one, I believe it may so it can be closed if it does.

StevenMapes avatar Jun 07 '24 11:06 StevenMapes