Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passwordless authentication fails due to AuthenticationDisabled exception #10

Closed
jmichalicek opened this issue Jul 19, 2024 · 0 comments · Fixed by #12
Closed

Passwordless authentication fails due to AuthenticationDisabled exception #10

jmichalicek opened this issue Jul 19, 2024 · 0 comments · Fixed by #12

Comments

@jmichalicek
Copy link
Contributor

It turns out that the lines referenced here were correct previously, but unclear as to why: #9 (review)

After the logic change, passwordless authentication no longer works.

Internal Server Error: /webauthn/authentication/begin/
Traceback (most recent call last):
  File "/Users/justin/Library/Application Support/hatch/env/virtual/django-otp-webauthn/gtIbOFRn/django-otp-webauthn/lib/python3.11/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
               ^^^^^^^^^^^^^^^^^^^^^
  File "/Users/justin/Library/Application Support/hatch/env/virtual/django-otp-webauthn/gtIbOFRn/django-otp-webauthn/lib/python3.11/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/justin/Library/Application Support/hatch/env/virtual/django-otp-webauthn/gtIbOFRn/django-otp-webauthn/lib/python3.11/site-packages/django/views/decorators/csrf.py", line 65, in _view_wrapper
    return view_func(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/justin/Library/Application Support/hatch/env/virtual/django-otp-webauthn/gtIbOFRn/django-otp-webauthn/lib/python3.11/site-packages/django/views/generic/base.py", line 104, in view
    return self.dispatch(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/justin/Library/Application Support/hatch/env/virtual/django-otp-webauthn/gtIbOFRn/django-otp-webauthn/lib/python3.11/site-packages/django/utils/decorators.py", line 48, in _wrapper
    return bound_method(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/justin/Library/Application Support/hatch/env/virtual/django-otp-webauthn/gtIbOFRn/django-otp-webauthn/lib/python3.11/site-packages/django/views/decorators/cache.py", line 80, in _view_wrapper
    response = view_func(request, *args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/justin/mobelux-projects/django-otp-webauthn/src/django_otp_webauthn/views.py", line 61, in dispatch
    raise exceptions.AuthenticationDisabled()
django_otp_webauthn.exceptions.AuthenticationDisabled: Authentication is disabled.

So while that looked incorrect, the logic there was that if there was no user, then the request was unauthenticated and so could still be authenticated. Otherwise, there was a user attached to the request and so they could authenticate if they are active. Of course, within the normal flow of things, it's actually pretty unlikely that the request would have a user with is_active = False attached. Someone would definitely need to be doing something weird. It's not impossible, though.

A fix rolling back that change and adding comments explaining how it's correct is incoming.
jmichalicek added a commit to jmichalicek/django-otp-webauthn that referenced this issue Jul 19, 2024
@jmichalicek
Revert the change to AuthenticationCeremonyMixin.can_authenticate() l…
a948c71 
…ogic returning False if the user is falsey.

This resolves Stormbase#10
and adds comments explaining why the logic is correct.
@jmichalicek jmichalicek mentioned this issue Jul 19, 2024
Closed
@jmichalicek jmichalicek changed the title Passwordless authentication fails due to AuthenticationDisabled Passwordless authentication fails due to AuthenticationDisabled exception Jul 19, 2024
@Stormheg Stormheg mentioned this issue Jul 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
1 participant
@jmichalicek