I thought about that and I didn't like that it logged them in if they
failed the OTP token. I'll probably use it for now.
The only reason being I want them to do it in a single "attempt session".
If they login half way and leave for a couples minutes I want them to
supply the regular login credentials again. In other words I'm not
comfortable leaving them in the "half way logged in" state.
Although... I bet there's a way to expire users who are two factor enabled
that are not validated yet...
How about I wrap the django_otp.views.login with something like:
if not validated:
if login time too old:
kill the session
redirect to login_view
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.
