-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mfa timeout function needs non-anonymous user #3816
Comments
Yes. If you have not passed all checks (email verification if mandatory, 2FA if enabled, ...) I must admit, I don't fully understand what you are trying to accomplish:
This is not clear to me. |
When the mfa form is filled out it should check how long ago the login form was submitted. If it's longer than x seconds, it should timeout and restart the login process. |
What's the difference with what you are aiming for, versus what |
This is what should happen:
|
I see. In that case:
It's not -- the user did not (fully) authenticate yet, so reauthentication is not applicable. In order to support this, I think a general mechanism is needed to add timeouts to |
I'm trying to set a timeout between initial login and mfa.
This function in allauth.account.reauthentication that looks like it's intended for this:
I overrode
AuthenticateView
and implementeddid_recently_authenticate
to add the timeout check before proceeding with the mfa validation. But since the user is anonymous even after the first stage of login, the function returns False before any of the logic is run.Is the user supposed to be anonymous? Is it better to use
request.session.get(AUTHENTICATION_METHODS_SESSION_KEY, [])
and calculate the timeout from the last login? Do I need to create custom logic or is this feature included in allauth?The text was updated successfully, but these errors were encountered: