Tobias Bengfort

I had another look at this and I get the feeling that it doesn't actually tackle the heart of the problem. Consider these cases: - If the user had keys...

> this PR should be considered to avoid an attacker to login and remove the 2fa with the sole submission of username/password But that is already impossible. If a key...

> scenario A > An adversary can get logged in with username and password and in front of the 2fa submission form can bypass this stage making a http request...

Some tests were added in 7116e76. However, the conceptual issues remain.

These are notes for migration. I will update this comment as I find out more. - add `django-two-factor-auth[phonenumberslite,webauthn]` as a dependency - add the following to `INSTALLED_APPS`: ``` 'django_otp', 'django_otp.plugins.otp_static',...

As far as I understand you removed some of the main department functionality, correct? This sounds to me more like a workaround than a fix. Maybe we should create an...

In django/db/migrations/autodetector.py line 912 (in `generate_altered_fields()` directly after `if old_field_dec != new_field_dec:`) I added the following code for debugging: print(app_label, model_name, field_name) print(old_field_dec) print(new_field_dec) print() Then I ran `./manage.py makemigrations...

We can still have this issue because some model choices depend on settings (e.g. `Lageruser.theme`) or external libraries (e.g. `Lageruser.timezone`). I am not sure what to do about that. There...

I don't see why this should be necessary. In production you usually don't serve static files from django, so the request doesn't go through the middleware. In development you usually...

Can you provide more details on your setup? The [official documentation](https://docs.djangoproject.com/en/5.0/howto/deployment/asgi/uvicorn/) does not mention anything special about static files. Any tutorials I found (e.g. [this one](https://www.valentinog.com/blog/uvicorn-django/#static-files-settings-and-migrations) also recommended to bypass...