You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.
from django . shortcuts import redirect , reverse
from django . http import HttpResponse
class MFAMiddleware :
"""
这个 中间件 是用来全局拦截开启了 MFA 却没有认证的,如 OIDC, CAS, 使用第三方库做的登录, 直接 login 了,
所以只能在 Middleware 中控制
"""
def __init__ ( self , get_response ) :
self . get_response = get_response
def __call__ ( self , request ) :
response = self . get_response ( request )
# 没有校验
if not request . session . get ( ' auth_mfa_required ' ) :
return response
# 没有认证过,证明不是从 第三方 来的
if request . user . is_anonymous :
return response
# 这个是 mfa 登录页需要的请求, 也得放出来, 用户其实已经在 CAS/OIDC 中完成登录了
white_urls = [
' login/mfa ' , ' mfa/select ' , ' jsi18n/ ' , ' /static/ ' , ' /profile/otp ' ,
' /logout/ ' , ' /login/ '
]
for url in white_urls :
if request . path . find ( url ) > - 1 :
return response
# 因为使用 CAS/OIDC 登录的,不小心去了别的页面就回不来了
if request . path . find ( ' users/profile ' ) > - 1 :
return HttpResponse ( ' ' , status = 401 )
url = reverse ( ' authentication:login-mfa ' ) + ' ?_=middleware '
return redirect ( url )