【发布时间】:2023-04-01 07:10:01
【问题描述】:
我在 Django 项目中使用two-factor authentication。它工作正常,但我想在我的代码中实现更多功能。但我无法实施
预期行为:
我希望用户在从新设备登录时必须面对 2F 身份验证提示。另外,我想增加代码验证时间。
当前行为: 目前,如果用户首次登录,则会向用户显示身份验证提示。但是当用户从新设备登录时,不会向用户显示身份验证并轻松登录。但我希望用户必须面对每个新设备的 2F。此外,每当我更改步骤时,验证代码都无效。例如,如果我给出 step=60,那么验证码就会无效。我无法增加代码验证的时间。
我检查了数据库中的 TOTPDevice 模型。它表明现在没有为新设备生成新密钥。
我正在使用以下代码。
def get_user_totp_device(self, user, confirmed=None):
"""
Gets user's time based one-time password devices
"""
devices = devices_for_user(user, confirmed=confirmed)
for device in devices:
if isinstance(device, TOTPDevice):
return device
class TOTPCreateView(APIView):
permission_classes = []
def post(self, request):
username = request.data['username']
user = User.objects.get(username=username)
user_email = user.email
user_device = request.META.get('HTTP_USER_AGENT', '')
time = datetime.now().strftime("%H:%M:%S")
if not user.is_anonymous:
device = get_user_totp_device(self, user)
if not device:
device = user.totpdevice_set.create(confirmed=False)
secret_key = device.bin_key
totp = pyotp.TOTP(base64.b32encode(secret_key))
one_time_password = totp.now()
url = device.config_url
response_status = status.HTTP_201_CREATED
else:
url = {}
response_status = status.HTTP_401_UNAUTHORIZED
return Response(url, status=response_status)
class TOTPVerifyView(APIView):
permission_classes = []
def post(self, request, token, format=None):
username = request.data['username']
user = User.objects.get(username=username)
device = get_user_totp_device(self, user)
if not user.is_anonymous:
device_registered = device.verify_token(token)
if device_registered:
if not device.confirmed:
device.confirmed = True
device.save()
data = True
response_status = status.HTTP_200_OK
else:
data = {'error': 'Verification code is not valid'}
response_status = status.HTTP_400_BAD_REQUEST
else:
data = False
response_status = status.HTTP_401_UNAUTHORIZED
return Response(data, status=response_status)
【问题讨论】:
标签: django two-factor-authentication