If user has already been authorized, no mfa is allowed

server/src/uds/core/auths/auth.py

@@ -137,6 +137,7 @@ def webLoginRequired(
     def decorator(
         view_func: typing.Callable[..., HttpResponse]
     ) -> typing.Callable[..., HttpResponse]:
+        @wraps(view_func)
         def _wrapped_view(
             request: 'ExtendedHttpRequest', *args, **kwargs
         ) -> HttpResponse:
@@ -293,7 +294,6 @@ def authenticate(
         )
         return None
 
-
     return __registerUser(authenticator, authInstance, username)
 
 
@@ -377,7 +377,9 @@ def webLogin(
     cookie = getUDSCookie(request, response)
 
     user.updateLastAccess()
-    request.authorized = False  # For now, we don't know if the user is authorized until MFA is checked
+    request.authorized = (
+        False  # For now, we don't know if the user is authorized until MFA is checked
+    )
     request.session[USER_KEY] = user.id
     request.session[PASS_KEY] = cryptoManager().symCrypt(
         password, cookie

server/src/uds/web/views/modern.py

@@ -170,9 +170,10 @@ def servicesData(request: ExtendedHttpRequestWithUser) -> HttpResponse:
 # The MFA page does not needs CRF token, so we disable it
 @csrf_exempt
 def mfa(request: ExtendedHttpRequest) -> HttpResponse:
-    if not request.user:
+    if not request.user or request.authorized:  # If no user, or user is already authorized, redirect to index
         return HttpResponseRedirect(reverse('page.index'))  # No user, no MFA
 
+
     mfaProvider: 'models.MFA' = request.user.manager.mfa
     if not mfaProvider:
         return HttpResponseRedirect(reverse('page.index'))