fix: 用户登陆mfa code为空限制

3 years ago · 380226a7d2
3 changed files with 27 additions and 8 deletions
--- a/apps/authentication/errors.py
+++ b/apps/authentication/errors.py
@ -372,9 +372,19 @@ class NotEnableMFAError(JMSException):
    default_detail = mfa_unset_msg


-class OTPRequiredError(JMSException):
+class OTPBindRequiredError(JMSException):
    default_detail = otp_unset_msg

    def __init__(self, url, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.url = url
+
+
+class OTPCodeRequiredError(AuthFailedError):
+    msg = _("Please enter MFA code")
+
+class SMSCodeRequiredError(AuthFailedError):
+    msg = _("Please enter SMS code")
+
+class UserPhoneNotSet(AuthFailedError):
+    msg = _('Phone not set')
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@ -242,7 +242,12 @@ class AuthMixin(PasswordEncryptionViewMixin):
            data = request.POST
        code = data.get('code')
        mfa_type = data.get('mfa_type')
-        if settings.SECURITY_MFA_IN_LOGIN_PAGE and code and mfa_type:
+        if settings.SECURITY_MFA_IN_LOGIN_PAGE and mfa_type:
+            if not code:
+                if mfa_type ==  MFAType.OTP and bool(user.otp_secret_key):
+                    raise errors.OTPCodeRequiredError
+                elif mfa_type ==  MFAType.SMS_CODE:
+                    raise errors.SMSCodeRequiredError
            self.check_user_mfa(code, mfa_type, user=user)

    def _check_login_acl(self, user, ip):
@ -405,9 +410,12 @@ class AuthMixin(PasswordEncryptionViewMixin):
        if not user.mfa_enabled:
            return

+        if not bool(user.phone) and mfa_type == MFAType.SMS_CODE:
+            raise errors.UserPhoneNotSet
+
        if not bool(user.otp_secret_key) and mfa_type == MFAType.OTP:
            self.set_passwd_verify_on_session(user)
-            raise errors.OTPRequiredError(reverse_lazy('authentication:user-otp-enable-bind'))
+            raise errors.OTPBindRequiredError(reverse_lazy('authentication:user-otp-enable-bind'))

        ip = self.get_request_ip()
        self.check_mfa_is_block(user.username, ip)
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@ -124,18 +124,19 @@ class UserLoginView(mixins.AuthMixin, FormView):
        except (
                errors.PasswdTooSimple,
                errors.PasswordRequireResetError,
-                errors.PasswdNeedUpdate
+                errors.PasswdNeedUpdate,
+                errors.OTPBindRequiredError
        ) as e:
            return redirect(e.url)
        except (
-                errors.MFAUnsetError,
                errors.MFAFailedError,
-                errors.BlockMFAError
+                errors.BlockMFAError,
+                errors.OTPCodeRequiredError,
+                errors.SMSCodeRequiredError,
+                errors.UserPhoneNotSet
        ) as e:
            form.add_error('code', e.msg)
            return super().form_invalid(form)
-        except errors.OTPRequiredError as e:
-            return redirect(e.url)
        self.clear_rsa_key()
        return self.redirect_to_guard_view()