(allura) branch master updated: be more forgiving if a multifactor session gets disrupted due to being actually logged in already

Tue, 01 Apr 2025 11:00:36 -0700 

This is an automated email from the ASF dual-hosted git repository.

gcruz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git


The following commit(s) were added to refs/heads/master by this push:
     new ec60b867c be more forgiving if a multifactor session gets disrupted 
due to being actually logged in already
ec60b867c is described below

commit ec60b867cbceb7f7997bf63dd1f75898ad237626
Author: Dave Brondsema <[email protected]>
AuthorDate: Tue Apr 1 13:00:04 2025 -0400

    be more forgiving if a multifactor session gets disrupted due to being 
actually logged in already
---
 Allura/allura/controllers/auth.py | 4 ++++
 Allura/allura/lib/plugin.py       | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/Allura/allura/controllers/auth.py 
b/Allura/allura/controllers/auth.py
index b985cc5ec..21e88bf90 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -434,6 +434,10 @@ def do_multifactor(self, code, mode, **kwargs):
         if not asbool(config.get('auth.multifactor.totp', False)):
             raise wexc.HTTPNotFound
 
+        if not c.user.is_anonymous():
+            # already logged in, no need to do this form (it would say it was 
"disrupted")
+            redirect(self._verify_return_to(kwargs.get('return_to')))
+
         if 'multifactor-username' not in session:
             tg.flash('Your multifactor login was disrupted, please start 
over.', 'error')
             plugin.AuthenticationProvider.get(request).logout()  # clears all 
cookies that might be interfering
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index cbbb54404..bdb7ecdd6 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -128,6 +128,10 @@ def authenticate_request(self):
         else:
             user = None
 
+        if user and not user.is_anonymous() and 'multifactor-username' in 
self.session:
+            # already logged-in, get rid of the multifactor-username field 
that'll mess things up later
+            del self.session['multifactor-username']
+            self.session.save()
         if 'multifactor-username' in self.session and request.path not in 
self.multifactor_allowed_urls:
             # ensure any partially completed multifactor login is not left 
open, if user goes to any other pages
             redirect(h.url_return_to(self.multifactor_allowed_urls[0], 
self.request))

Reply via email to