Mandatory Use Once Configured For User?

[Bruce MacKay]

Hi, sorry for this noobish question, but I'm not clear on something that seems to be assumed or perhaps is too fundamental to mention in the django-otp documentation.

What I hope to achieve is allow our users to optionally add an OTP device to their account.  It should then be required to to use the OTP device to log into that account from that point on, unless the OTP-device is removed from their account by one of our support staff.

I see how django-otp adds "authenticated" as an extra authentication level and how I can restrict pages to users who have used an OTP device.  But I want to secure selected accounts, not selected content.

I have added a Yubikey validation service and assigned a remote Yubikey device to a test user.  I expected that once this was done, I wouldn't be able to log in as the test user without setting up the django-otp login page and authenticating with my Yubikey.  

So are my goals at odds with the architecture of django-otp?   Is this something that is readily configured and I'm just missing the point or do I have to write custom middleware to accomplish this?

Thanks in advance for your advice.

Bruce

[Peter Sagerson]

Hi Bruce,

I believe what you're looking for is the if_configured argument to the otp_required decorator.[1][2] Using this approach, you would define a view like the following (or do the equivalent in a base class, if you have a class-based view hierarchy):

@login_required

@otp_required(if_configured=True)

def some_view(request):

    ...

When an unauthenticated user visits the view, they'll hit login_required and get redirected to the login URL, where they'll presumably authenticate with username and password. They'll then be sent back and hit otp_required. If they have no devices configured, they'll sail past and get to the view. Otherwise, they'll get redirected to OTP_LOGIN_URL, which can be connected to django_otp.views.login or your own equivalent.

From your question, it sounds like you may be trying to limit users at the authentication stage rather than authorization. In other words, for any user with a configured device, you're looking for all or nothing: either anonymous or authenticated+verified. There's no direct support for this, although it's not impossible. The one-stop AuthentiationForm[3] almost does this, it just doesn't happen to have an if_configured option. You could probably use that as a starting point, if that's what you're after.

My recommendation would be the first approach, though. It feels like less of a subversion of Django's authentication design and I think it makes for a better user experience. Your mileage may vary.

Thanks,

Peter

[1] https://django-otp-official.readthedocs.io/en/latest/auth.html#authorizing-users

[2] https://django-otp-agents.readthedocs.io/en/latest/#decorators

[3] https://django-otp-official.readthedocs.io/en/latest/auth.html#the-authentication-form

--
You received this message because you are subscribed to the Google Groups "django-otp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-otp+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bruce MacKay]

Ah, I missed the subtlety of if_configured=True argument for otp_required.  That is exactly what will do the job.

Thanks for the speedy response!