Hi,

I want to disable 2fa on local builds and staging sites. So I added WAGTAIL_2FA_REQUIRED = False to my settings in dev.py. However I am still being prompted for 2fa. This is the same even when I remove the WAGTAIL_2FA_REQUIRED = True in base.py.

Does this only disable the setting of 2fa for new accounts but will continue to require it for users accounts that already have 2fa enabled?

Thanks.

Hi @victoriachan,

Thanks for your report!

You're right, when the user has a verified device, the code will keep asking for your MFA token as you can see here: https://github.com/labd/wagtail-2fa/blob/master/src/wagtail_2fa/middleware.py#L34 I think we should update the code so it will be disabled when te setting is set to False however for now you can maybe continue with removing your device in django admin?

Thank you for confirming, @mikedingjan!

What's is ETA for this to be sorted? I can push the PR, if this is what was blocking you?

It's quite an important setting so it's annoying that it is partly broken... 😞

Currently I have to use the following workaround to enable MFA ony in prod, but not dev:

settings/core.py

mfa_apps = [
    'django_otp',
    'django_otp.plugins.otp_totp',
]

INSTALLED_APPS += mfa_apps

mfa_mware = [
    'django_otp.middleware.OTPMiddleware',
]

MIDDLEWARE += mfa_mware

settings/prod.py

from .core import *

INSTALLED_APPS.extend([
    'wagtail_2fa',
])

MIDDLEWARE.extend([
    'wagtail_2fa.middleware.VerifyUserMiddleware',
])

urls.py

if not settings.DEBUG:
    from django_otp.admin import OTPAdminSite
    admin.site.__class__ = OTPAdminSite