fix: 修复 oidc cas 登录时跳转问题

perf: 优化一波，容易debug perf: 还原回来的世界
2021-11-25 13:20:13 +08:00 · 2021-11-25 13:20:13 +08:00 · 7f0ad7e27f
parent 5ace5a752e
commit 7f0ad7e27f
8 changed files with 65 additions and 54 deletions
--- a/apps/authentication/middleware.py
+++ b/apps/authentication/middleware.py
@ -1,17 +1,36 @@
-from django.shortcuts import redirect
+from django.shortcuts import redirect, reverse
 from django.http import HttpResponse
 class MFAMiddleware:
    """
    这个 中间件 是用来全局拦截开启了 MFA 却没有认证的，如 OIDC, CAS，使用第三方库做的登录，直接 login 了，
    所以只能在 Middleware 中控制
    """
    def __init__(self, get_response):
        self.get_response = get_response
    def __call__(self, request):
        response = self.get_response(request)
        # 没有校验
        if not request.session.get('auth_mfa_required'):
            return response
        # 没有认证过，证明不是从 第三方 来的
        if request.user.is_anonymous:
            return response
-        white_urls = ['login/mfa', 'mfa/select', 'jsi18n/', '/static/']
+        # 这个是 mfa 登录页需要的请求, 也得放出来, 用户其实已经在 CAS/OIDC 中完成登录了
        white_urls = [
            'login/mfa', 'mfa/select', 'jsi18n/', '/static/', '/profile/otp',
            '/logout/', '/login/'
        ]
        for url in white_urls:
            if request.path.find(url) > -1:
                return response
-        if request.session.get('auth_mfa_required'):
+
-            return redirect('authentication:login-mfa')
+        # 因为使用 CAS/OIDC 登录的，不小心去了别的页面就回不来了
-        return response
+        if request.path.find('users/profile') > -1:
            return HttpResponse('', status=401)
        url = reverse('authentication:login-mfa') + '?_=middleware'
        return redirect(url)
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@ -257,7 +257,8 @@ class MFAMixin:
    def _check_login_page_mfa_if_need(self, user):
        if not settings.SECURITY_MFA_IN_LOGIN_PAGE:
            return
-        self._check_if_no_active_mfa(user)
+        if not user.active_mfa_backends:
            return
        request = self.request
        data = request.data if hasattr(request, 'data') else request.POST
@ -274,10 +275,8 @@ class MFAMixin:
        if not user.mfa_enabled:
            return
-        self._check_if_no_active_mfa(user)
+        active_mfa_names = user.active_mfa_backends_mapper.keys()
-
+        raise errors.MFARequiredError(mfa_types=tuple(active_mfa_names))
        active_mfa_mapper = user.active_mfa_backends_mapper
        raise errors.MFARequiredError(mfa_types=tuple(active_mfa_mapper.keys()))
    def mark_mfa_ok(self, mfa_type):
        self.request.session['auth_mfa'] = 1
--- a/apps/authentication/views/mfa.py
+++ b/apps/authentication/views/mfa.py
@ -3,6 +3,7 @@
 from __future__ import unicode_literals
 from django.views.generic.edit import FormView
 from django.shortcuts import redirect
 from common.utils import get_logger
 from .. import forms, errors, mixins
@ -19,9 +20,15 @@ class UserLoginMFAView(mixins.AuthMixin, FormView):
    def get(self, *args, **kwargs):
        try:
-            self.get_user_from_session()
+            user = self.get_user_from_session()
        except errors.SessionEmptyError:
-            return redirect_to_guard_view()
+            return redirect_to_guard_view('session_empty')
        try:
            self._check_if_no_active_mfa(user)
        except errors.MFAUnsetError as e:
            return redirect(e.url + '?_=login_mfa')
        return super().get(*args, **kwargs)
    def form_valid(self, form):
@ -30,17 +37,17 @@ class UserLoginMFAView(mixins.AuthMixin, FormView):
        try:
            self._do_check_user_mfa(code, mfa_type)
-            return redirect_to_guard_view()
+            return redirect_to_guard_view('mfa_ok')
        except (errors.MFAFailedError, errors.BlockMFAError) as e:
            form.add_error('code', e.msg)
            return super().form_invalid(form)
        except errors.SessionEmptyError:
-            return redirect_to_guard_view()
+            return redirect_to_guard_view('session_empty')
        except Exception as e:
            logger.error(e)
            import traceback
            traceback.print_exc()
-            return redirect_to_guard_view()
+            return redirect_to_guard_view('unexpect')
    def get_context_data(self, **kwargs):
        user = self.get_user_from_session()
--- a/apps/authentication/views/utils.py
+++ b/apps/authentication/views/utils.py
@ -3,6 +3,6 @@
 from django.shortcuts import reverse, redirect
-def redirect_to_guard_view():
+def redirect_to_guard_view(comment=''):
-    continue_url = reverse('authentication:login-guard')
+    continue_url = reverse('authentication:login-guard') + '?_=' + comment
    return redirect(continue_url)
--- a/apps/static/css/otp.css
+++ b/apps/static/css/otp.css
@ -136,6 +136,10 @@ article ul li:last-child{
    border-radius: 6px;
    color: white;
 }
 .next:hover {
 	color: white;
 }
 /*绑定TOTP*/
 /*版权信息*/
--- a/apps/users/templates/users/user_otp_check_password.html
+++ b/apps/users/templates/users/user_otp_check_password.html
@ -7,36 +7,8 @@
 {% endblock %}
 {% block content %}
-    <div class="verify">{% trans 'Please enter the password of' %}&nbsp;{% trans 'account' %}&nbsp;<span>{{ user.username }}</span>&nbsp;{% trans 'to complete the binding operation' %}</div>
+    <hr style="width: 500px; margin: 10px auto auto;">
-    <hr style="width: 500px; margin: auto; margin-top: 10px;">
+    <a type="submit" class="next" href="{% url 'authentication:user-otp-enable-install-app' %}" >
-    <form id="verify-form" class="" role="form" method="post" action="">
+        {% trans 'Next' %}
-        {% csrf_token %}
+    </a>
        <div class="form-input">
            <input id="password" type="password" class="" placeholder="{% trans 'Password' %}" required="" autofocus="autofocus">
            <input id="password-hidden" type="text" style="display:none" name="{{ form.password.html_name }}">
        </div>
        <button type="submit" class="next" onclick="doVerify();return false;">{% trans 'Next' %}</button>
        {% if 'password' in form.errors %}
            <p class="red-fonts">{{ form.password.errors.as_text }}</p>
        {% endif %}
    </form>
    <script type="text/javascript" src="/static/js/plugins/jsencrypt/jsencrypt.min.js"></script>
    <script>
        function encryptLoginPassword(password, rsaPublicKey) {
            var jsencrypt = new JSEncrypt(); //加密对象
            jsencrypt.setPublicKey(rsaPublicKey); // 设置密钥
            return jsencrypt.encrypt(password); //加密
        }
        function doVerify() {
            //公钥加密
            var rsaPublicKey = "{{ rsa_public_key }}"
            var password = $('#password').val(); //明文密码
            var passwordEncrypted = encryptLoginPassword(password, rsaPublicKey)
            $('#password-hidden').val(passwordEncrypted); //返回给密码输入input
            $('#verify-form').submit();//post提交
        }
        $(document).ready(function () {
        })
    </script>
 {% endblock %}
--- a/apps/users/templates/users/user_otp_enable_bind.html
+++ b/apps/users/templates/users/user_otp_enable_bind.html
@ -16,12 +16,12 @@
        <div id="qr_code"></div>
        <div style="display: block; margin: 0">Secret: {{ otp_secret_key }}</div>
-        <form class="" role="form" method="post" action="">
+        <form id="bind-form" class="" role="form" method="post" action="">
            {% csrf_token %}
            <div class="form-input">
                <input type="text" class="" name="otp_code" placeholder="{% trans 'Six figures' %}" required="">
            </div>
-            <button type="submit" class="next">{% trans 'Next' %}</button>
+            <a type="submit" class="next button" onclick="submitForm()">{% trans 'Next' %}</a>
            {% if 'otp_code' in form.errors %}
                <p style="color: #ed5565">{{ form.otp_code.errors.as_text }}</p>
            {% endif %}
@ -33,6 +33,10 @@
        $('.change-color li:eq(1) i').css('color', '#1ab394');
        $('.change-color li:eq(2) i').css('color', '#1ab394');
        function submitForm() {
            $('#bind-form').submit()
        }
        $(document).ready(function() {
            // 生成用户绑定otp的二维码
            var qrcode = new QRCode(document.getElementById('qr_code'), {
--- a/apps/users/views/profile/otp.py
+++ b/apps/users/views/profile/otp.py
@ -6,10 +6,12 @@ from django.utils.translation import ugettext as _
 from django.views.generic.base import TemplateView
 from django.views.generic.edit import FormView
 from django.contrib.auth import logout as auth_logout
 from django.shortcuts import redirect
 from django.http.response import HttpResponseRedirect
 from authentication.mixins import AuthMixin
 from authentication.mfa import MFAOtp, otp_failed_msg
 from authentication.errors import SessionEmptyError
 from common.utils import get_logger, FlashMessageUtil
 from common.mixins.views import PermissionsMixin
 from common.permissions import IsValidUser
@ -30,11 +32,15 @@ __all__ = [
 logger = get_logger(__name__)
-class UserOtpEnableStartView(UserVerifyPasswordView):
+class UserOtpEnableStartView(AuthMixin, TemplateView):
    template_name = 'users/user_otp_check_password.html'
-    def get_success_url(self):
+    def get(self, request, *args, **kwargs):
-        return reverse('authentication:user-otp-enable-install-app')
+        try:
            self.get_user_from_session()
        except SessionEmptyError:
            return redirect('authentication:login') + '?_=otp_enable_start'
        return super().get(request, *args, **kwargs)
 class UserOtpEnableInstallAppView(TemplateView):