labd / wagtail-2fa

2 Factor Authentication for Wagtail

Home Page:https://wagtail-2fa.readthedocs.io/en/latest/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Only require 2fa for admin urls?

vdboor opened this issue · comments

Would it make sense to only require 2fa for the pages where wagtail is mounted? E.g. everything below reverse('wagtailadmin_home') such as /cms/ and /admin/?

    def _require_verified_user(self, request):
        ...
        if settings.WAGTAIL_2FA_ONLY_URLS:
            # As safeguard, the wagtail+admin pages are always under 2fa,
            # otherwise there is a chance to circumvent 2fa for those URLs.
            admin_urls = settings.WAGTAIL_2FA_ONLY_URLS + [reverse('wagtailadmin_home')]
            try:
                admin_urls.append(reverse('admin:index'))
            except NoReverseMatch:
                pass
    
            if not any(request.path.startswith(url) for url in admin_urls):
                return False
    
        return True

Reason for using this:

  • on the regular user pages, we'd like to use allauth-2fa to show a user-facing 2fa check.
  • only on the wagtail and admin pages, the wagtail-2fa screen should popup.