Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for django-hijack #13

Merged
merged 6 commits into from
Feb 5, 2024
Merged

Add support for django-hijack #13

merged 6 commits into from
Feb 5, 2024

Conversation

sergei-maertens
Copy link
Member

Closes #9

@codecov-commenter
Copy link

codecov-commenter commented Feb 3, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (a3aeb2c) 100.00% compared to head (5737be2) 100.00%.

Additional details and impacted files 
@@            Coverage Diff            @@
##              main       #13   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           10        13    +3     
  Lines          195       226   +31     
  Branches        22        27    +5     
=========================================
+ Hits           195       226   +31

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@sergei-maertens
👷 Fix typo in github workflow
c36e307
@sergei-maertens
📝 Document support for django-hijack
b2bddba
@sergei-maertens
✅ [#9] Add tests for hijacking functionality
dfb9eba
@sergei-maertens
✨ [#9] Implement hijack totp-device management
b22b41a 
Thanks to @Bartvaderkin for the original implementation

Added signals so that hijacking admin users works without
entering their second factor by (OTP) logging them in with
a temporary device.

Special care is taken to ensure hijacking is only allowed
for users that are verified, even if you forget to specify
a custom permission check. This functionality explicitly
tests that it cannot be abused to circumvent multi-factor
authentication.
@sergei-maertens
✨ [#9] Ship a permission check for django-hijack
5737be2 
This also requires the user to be verified so the hijack stops before
the view fully executes, rather than crashing in the signal receiver.
@sergei-maertens sergei-maertens force-pushed the feature/hijack-integration branch from cc591ad to 5737be2 Compare February 3, 2024 21:41
@sergei-maertens sergei-maertens marked this pull request as ready for review February 3, 2024 21:56
Viicos
Viicos reviewed Feb 5, 2024
View reviewed changes
tests/conftest.py


@pytest.fixture
def mfa_admin_user(admin_user):
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is admin_user a pytest-django specific fixture?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep!

Viicos
Viicos approved these changes Feb 5, 2024
View reviewed changes
Copy link

@Viicos Viicos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this something that also should be taken into account in the upstream django two factor auth library? Or is it really specific to MM?

@sergei-maertens
Copy link
Member Author

Is this something that also should be taken into account in the upstream django two factor auth library? Or is it really specific to MM?

Really specific to our particular combination of django-2fa and django-hijack.

Of course, users of django-two-factor-auth can always use this library as a source of inspiration :D

@sergei-maertens sergei-maertens merged commit 08613a8 into main Feb 5, 2024
10 checks passed
@Viicos Viicos deleted the feature/hijack-integration branch February 5, 2024 11:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Viicos Viicos Viicos approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make two-factor auth work with django-hijack
3 participants
@sergei-maertens @codecov-commenter @Viicos