Django Admin Site Not Enforcing Two-Factor Authentication (2FA) with django-otp and django-two-factor-auth
发布于2024-11-26 22:21 阅读(227) 评论(0) 点赞(9) 收藏(1)
Problem Description:
I am trying to enforce two-factor authentication (2FA) for the Django admin site using the django-otp and django-two-factor-auth packages. Despite following the setup steps, the admin login does not require 2FA and allows users to log in with just their username and password.
My Setup
- Django Version: 4.2.11
- django-otp Version: 1.5.2
- django-two-factor-auth Version: 1.17.0
- Python Version: 3.10
What i've done
- Installed Required Packages:
pip install django-otp django-two-factor-auth - Updated INSTALLED_APPS in settings.py:
INSTALLED_APPS = [ 'django.contrib.contenttypes', 'django.contrib.auth', 'django.contrib.sessions', 'django.contrib.admin', 'django_otp', 'django_otp.plugins.otp_email', 'two_factor', 'two_factor.plugins.email', ... ] - Configured Middleware in settings.py:
MIDDLEWARE = [ 'django.middleware.common.CommonMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django_otp.middleware.OTPMiddleware', 'two_factor.middleware.threadlocals.ThreadLocals', ... ] - Patched the Admin Site in urls.py:
from django.contrib import admin from two_factor.admin import AdminSiteOTPRequired admin.site.__class__ = AdminSiteOTPRequired urlpatterns = [ path('admin/', admin.site.urls), path('account/', include(('two_factor.urls', 'two_factor'), namespace='two_factor')), ... ] - 2FA Settings in settings.py:
TWO_FACTOR_PATCH_ADMIN = True TWO_FACTOR_LOGIN_URL = 'two_factor:login' LOGIN_REDIRECT_URL = '/admin/' LOGIN_URL = 'two_factor:login' - Added 2FA Devices: I added an email device using the two_factor_add management command.
The issue
Even after following these steps, the admin login page does not prompt for 2FA. It allows me to log in directly with just the username and password, bypassing the 2FA requirement entirely.
Errors in logs
Here are some relevant log entries when attempting to log in: [22/Aug/2024 16:24:34] INFO "GET /admin/login/?next=/admin/ HTTP/1.1" 302 0 [22/Aug/2024 16:24:35] INFO Response for URL: /account/account/login/, Status Code: 200, User: Anonymous, IP: 127.0.0.1
What I've Tried:
- Ensuring django_otp.middleware.OTPMiddleware is correctly placed in the middleware list.
- Restarting the Django server after each configuration change.
What could be causing the Django admin to bypass the 2FA requirement? Is there something I'm missing in my setup? Any guidance or suggestions would be greatly appreciated.
解决方案
暂无回答
所属网站分类: 技术文章 > 问答
作者:黑洞官方问答小能手
链接:https://www.pythonheidong.com/blog/article/2046121/d3bbeac10bce04724705/
来源:python黑洞网
任何形式的转载都请注明出处,如有侵权 一经发现 必将追究其法律责任
昵称:
评论内容:(最多支持255个字符)
---无人问津也好,技不如人也罢,你都要试着安静下来,去做自己该做的事,而不是让内心的烦躁、焦虑,坏掉你本来就不多的热情和定力