From 0d281af982be2bd6d5092e9f8fc57ce19c49fa8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adolfo=20G=C3=B3mez=20Garc=C3=ADa?= Date: Tue, 28 Jun 2022 16:38:25 +0200 Subject: [PATCH] merged 3.5-mfa till now --- server/src/uds/core/util/middleware/request.py | 7 ++++++- server/src/uds/web/views/modern.py | 7 ++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/server/src/uds/core/util/middleware/request.py b/server/src/uds/core/util/middleware/request.py index 9d1776a51..0d3f244e9 100644 --- a/server/src/uds/core/util/middleware/request.py +++ b/server/src/uds/core/util/middleware/request.py @@ -37,7 +37,7 @@ from django.utils import timezone from uds.core.util import os_detector as OsDetector from uds.core.util.config import GlobalConfig -from uds.core.auths.auth import EXPIRY_KEY, ROOT_ID, USER_KEY, getRootUser, webLogout +from uds.core.auths.auth import AUTHORIZED_KEY, EXPIRY_KEY, ROOT_ID, USER_KEY, getRootUser, webLogout from uds.models import User if typing.TYPE_CHECKING: @@ -65,6 +65,7 @@ class GlobalRequestMiddleware: def __call__(self, request: 'ExtendedHttpRequest'): # Add IP to request GlobalRequestMiddleware.fillIps(request) + request.authorized = request.session.get(AUTHORIZED_KEY, False) # Ensures request contains os request.os = OsDetector.getOsFromUA( @@ -96,6 +97,10 @@ class GlobalRequestMiddleware: response = self._get_response(request) + # Update authorized on session + if hasattr(request, 'session'): + request.session[AUTHORIZED_KEY] = request.authorized + return self._process_response(request, response) @staticmethod diff --git a/server/src/uds/web/views/modern.py b/server/src/uds/web/views/modern.py index a5464efca..c9d0499b7 100644 --- a/server/src/uds/web/views/modern.py +++ b/server/src/uds/web/views/modern.py @@ -57,6 +57,7 @@ from uds.web.util import configjs logger = logging.getLogger(__name__) CSRF_FIELD = 'csrfmiddlewaretoken' +MFA_COOKIE_NAME = 'mfa_status' if typing.TYPE_CHECKING: from uds import models @@ -114,9 +115,9 @@ def login( # If MFA is provided, we need to redirect to MFA page request.authorized = True - if user.manager.getType().providesMfa() and user.manager.mfa: - authInstance = user.manager.getInstance() - if authInstance.mfaIdentifier(): + if loginResult.user.manager.getType().providesMfa() and loginResult.user.manager.mfa: + authInstance = loginResult.user.manager.getInstance() + if authInstance.mfaIdentifier(loginResult.user.name): request.authorized = ( False # We can ask for MFA so first disauthorize user )