Django - Two Factor Authentication Custom Login

Question

After a quick search and reading documentation I implemented Django - Two Factor Authentication in one of my Django project [Reference Link].

It works great I am using Google Authenticator for token based login. The problem arises when I want to extend login methodology of the library. I want to enforce my every user to use 2-Factor-Auth as compulsion. I am not using any signup measures so there has to be a check at the time of Login for a user.

The problem is to design a custom login mechanism but I am unable to incorporate this library with the custom login.

PS: I have a custom user model and currently I am using default Login that came with Django Two Factor Authentication.

I did not though the code was necessary so I did not posted it but I can share it if needed.

Answer 1

After a through look at the library code I was able to manipulate the check in the two_factor library.

So, looking at two_factor folder it is easily understandable that is nothing but a Django app similar to others.

I navigated to the library files in my virtual environment venv\Lib\site-packages\two_factor\views\core.py. As mentioned in the documentation there is no enforcement for users till now to setup 2fa.

In LoginView(...) there is a function done. IT checks for the device availability for 2fa just add a else clause for redirection.

def done(self, form_list, **kwargs):
        """
        Login the user and redirect to the desired page.
        """

        # Check if remember cookie should be set after login
        current_step_data = self.storage.get_step_data(self.steps.current)
        remember = bool(current_step_data and current_step_data.get('token-remember') == 'on')

        login(self.request, self.get_user())

        redirect_to = self.get_success_url()

        device = getattr(self.get_user(), 'otp_device', None)
        response = redirect(redirect_to)

        if device:
            signals.user_verified.send(sender=__name__, request=self.request,
                                       user=self.get_user(), device=device)

            # Set a remember cookie if activated

            if getattr(settings, 'TWO_FACTOR_REMEMBER_COOKIE_AGE', None) and remember:
                # choose a unique cookie key to remember devices for multiple users in the same browser
                cookie_key = REMEMBER_COOKIE_PREFIX + str(uuid4())
                cookie_value = get_remember_device_cookie(user=self.get_user(),
                                                          otp_device_id=device.persistent_id)
                response.set_cookie(cookie_key, cookie_value,
                                    max_age=settings.TWO_FACTOR_REMEMBER_COOKIE_AGE,
                                    domain=getattr(settings, 'TWO_FACTOR_REMEMBER_COOKIE_DOMAIN', None),
                                    path=getattr(settings, 'TWO_FACTOR_REMEMBER_COOKIE_PATH', '/'),
                                    secure=getattr(settings, 'TWO_FACTOR_REMEMBER_COOKIE_SECURE', False),
                                    httponly=getattr(settings, 'TWO_FACTOR_REMEMBER_COOKIE_HTTPONLY', True),
                                    samesite=getattr(settings, 'TWO_FACTOR_REMEMBER_COOKIE_SAMESITE', 'Lax'),
                                    )
        else:
            return redirect('two_factor:setup')

        return response

So what happens is the check for device can only be successful if the user has setup the 2fa but it will never be true for unverified user.

I totally understand there will be a more efficient and elegant method to do the above task but with my little knowledge and time limitation I have to do this. I will post an update if I encounter and I also welcome feedbacks for my solution.

Answer 2

django-two-factor-auth provides an is_verified() method through django-otp's OTPMiddleware. According to the docs, this method

can be used to check if the user was logged in using two-factor authentication.

I have a similar scenario as yours (Custom User Model and django-two-factor-auth's default login mechanism), so I did the following:

1. set LOGIN_REDIRECT_URL to a URL which requires a verified user. Let's call it, for example, "dashboard"
2. in the dashboard view, do something like this:

def dashboard_view(request):
    if request.user.is_verified():
        # user logged in using two-factor
        return render(request, "dashboard/template.html")
    else:
        # user not logged in using two-factor
        return redirect("two_factor:setup")

Answer 3

The contribution from 'engineervix' was very useful, however, it can be simply bypassed by a single authentication and typing in a known django web address. However, this is a first super step. Combined with a standart base.html with a check on 'request.user.is_verified', it seems to me like a complete solution. I attach my base.html as an example.

The idea is that all my custom web pages are build with an extend base.html. If base.html can only be accessed with 2FA, than all my custom web pages can only be accessed by 2FA. A special block 'content_non_auth' is added for user account management without 2FA.

<!-- templates/base.html -->
<!DOCTYPE html>
<html lang="de">
<head>
  ...
</head>
<body>
  <div class="container">
    <header class="p-3 mb-3 border-bottom">
     
          {% if request.user.is_verified %}
            <a class="navbar-brand" href="{% url 'home' %}">
              Sample Site Title</a>
          {% else %}
            <h3 style="color:blue;">Sample Site Tile</h3>
          {% endif %}
    </header>
  <main>
    {% if request.user.is_verified %}
      {% block content %}
      {% endblock %}
    {% else %}
      <h3>You are not logged in</h3>
      {% block content_non_auth %}
        <!-- Block for user accout management without 2FA -->`enter code here`
      {% endblock %}
    {% endif %}
  </main>
</body>

</html>