1. Peter Sagerson
  2. django-otp
Issue #1 resolved

otp_agents.decorators.otp_required seems to ignore if_configured if accept_trusted_agent is True

Hany Fahim
created an issue

I'm trying to have a setup whereby a user, who does not have an OTP device configured, will be allowed to authenticate using the otp_required decorator with if_configured is set to True. This works great with django_otp.decorators.otp_required. However, if I try to integrate django-otp-agents and use the handy replacement otp_agents.decorators.otp_required, with accept_trusted_agent=True, it seems to ignore if_configured=True entirely.

Looking at django-otp/django-otp-agents/otp_agents/decorators.py, the issue seems to lie in the if/else/elif block, where it goes directly to trusted_agent_required as long as accept_trusted_agent is set to True. I'm not sure this was the intended behaviour based on my understanding of the documentation here:

http://pythonhosted.org/django-otp-agents/#decorators

Can any light be shed?

Comments (3)

  1. Peter Sagerson repo owner

    Thanks, I think that's a good catch. if_configured is quite a recent addition (by request), and it looks like I didn't think it all the way through in django-otp-agents. That version of otp_required is distressingly gnarly in general. I'll take another look at it.

  2. Peter Sagerson repo owner

    I think I've tamed otp_required. The default behavior of login_url is also more explicit now, which was actually the root of the confusion. Thanks for the detailed report. See django-otp 0.1.4 and django-otp-agents 0.1.8, change 8d1d416.

  3. Log in to comment