If user has already been authorized, no mfa is allowed

2022-06-24 11:28:46 +02:00 · 2022-06-24 11:28:46 +02:00 · c7e6857492
commit c7e6857492
parent aaa4216862
2 changed files with 6 additions and 3 deletions
--- a/server/src/uds/core/auths/auth.py
+++ b/server/src/uds/core/auths/auth.py
@ -137,6 +137,7 @@ def webLoginRequired(
    def decorator(
        view_func: typing.Callable[..., HttpResponse]
    ) -> typing.Callable[..., HttpResponse]:
+        @wraps(view_func)
        def _wrapped_view(
            request: 'ExtendedHttpRequest', *args, **kwargs
        ) -> HttpResponse:
@ -292,7 +293,6 @@ def authenticate(
            username,
        )
        return None
-        

    return __registerUser(authenticator, authInstance, username)

@ -377,7 +377,9 @@ def webLogin(
    cookie = getUDSCookie(request, response)

    user.updateLastAccess()
-    request.authorized = False  # For now, we don't know if the user is authorized until MFA is checked
+    request.authorized = (
+        False  # For now, we don't know if the user is authorized until MFA is checked
+    )
    request.session[USER_KEY] = user.id
    request.session[PASS_KEY] = cryptoManager().symCrypt(
        password, cookie
--- a/server/src/uds/web/views/modern.py
+++ b/server/src/uds/web/views/modern.py
@ -170,9 +170,10 @@ def servicesData(request: ExtendedHttpRequestWithUser) -> HttpResponse:
 # The MFA page does not needs CRF token, so we disable it
@csrf_exempt
 def mfa(request: ExtendedHttpRequest) -> HttpResponse:
-    if not request.user:
+    if not request.user or request.authorized:  # If no user, or user is already authorized, redirect to index
        return HttpResponseRedirect(reverse('page.index'))  # No user, no MFA

+
    mfaProvider: 'models.MFA' = request.user.manager.mfa
    if not mfaProvider:
        return HttpResponseRedirect(reverse('page.index'))