django-mfa3

multi factor authentication for django
git clone https://git.ce9e.org/django-mfa3.git
commit
166c07d8d2f24871c95cede32b5b01ad21ff5fcf
parent
be6b093e7ce8a11499860ea39c692c0ac72662f8
Author
Tobias Bengfort <tobias.bengfort@posteo.de>
Date
2023-04-13 05:41
refactor _get_verify_origin_fn

Diffstat

M mfa/methods/fido2.py 24 ++++++++++--------------

1 files changed, 10 insertions, 14 deletions

diff --git a/mfa/methods/fido2.py b/mfa/methods/fido2.py 

@@ -1,7 +1,7 @@
    1    -1 from typing import Union
    2     1 from urllib.parse import urlparse
    3     2 
    4     3 from django.conf import settings as django_settings
   -1     4 from django.utils.http import is_same_domain
    5     5 from fido2 import cbor
    6     6 from fido2.server import Fido2Server
    7     7 from fido2.utils import websafe_decode
@@ -18,30 +18,26 @@ name = 'FIDO2'
   18    18 
   19    19 
   20    20 def _get_verify_origin_fn():
   21    -1     """
   22    -1     Returns a custom verify_origin function which allows HTTP if using localhost.
   23    -1     Why: browsers are allowed to consider localhost as a secure context, which is helpful for development.
   24    -1     Setting a custom verify_origin like this is the solution suggested by python-fido2.
   -1    21     """Do not require https on localhost in DEBUG mode.
   -1    22 
   25    23     See https://github.com/Yubico/python-fido2/issues/122
   26    24     """
   27    25 
   28    -1     def is_localhost(hostname: Union[str,bytes]):
   29    -1         return hostname == 'localhost' or hostname.endswith('.localhost')
   -1    26     def is_localhost(hostname):
   -1    27         allowed_hosts = ['.localhost', '127.0.0.1', '[::1]']
   -1    28         return any(is_same_domain(hostname, h) for h in allowed_hosts)
   30    29 
   31    -1     # This is the custom verify_origin function
   32    30     def verify_localhost_origin(origin):
   33    -1         return is_localhost(urlparse(origin).hostname)
   -1    31         return urlparse(origin).hostname == settings.DOMAIN
   34    32 
   35    -1     # This custom function is only helpful if configured to use localhost in development
   36    33     if django_settings.DEBUG and is_localhost(settings.DOMAIN):
   37    34         return verify_localhost_origin
   38    -1 
   39    -1     # If custom function is not needed, fallback to using the python-fido2 default function.
   40    -1     return None
   -1    35     else:
   -1    36         return None
   41    37 
   42    38 
   43    39 fido2 = Fido2Server(
   44    -1     rp=PublicKeyCredentialRpEntity(id=settings.DOMAIN, name=settings.SITE_TITLE),
   -1    40     PublicKeyCredentialRpEntity(id=settings.DOMAIN, name=settings.SITE_TITLE),
   45    41     verify_origin=_get_verify_origin_fn(),
   46    42 )
   47    43