45 lines
1.5 KiB
Python
45 lines
1.5 KiB
Python
|
# -*- coding: utf-8 -*-
|
||
|
from django.contrib.auth.backends import ModelBackend
|
||
|
|
||
|
from .models import SQRLIdentity
|
||
|
|
||
|
|
||
|
class SQRLModelBackend(ModelBackend):
|
||
|
"""
|
||
|
Custom SQRL Authentication backend which honors ``only_sqrl`` when enabled.
|
||
|
|
||
|
SQRL, by its spec, allows users to send ``only_sqrl`` flag to the server
|
||
|
which indicates to the server that it should only use SQRL
|
||
|
for authentication and disable all other methods of authentication.
|
||
|
This custom authentication backend implements that requirement.
|
||
|
It honors the ``only_sqrl`` spec and does not allow to authenticate
|
||
|
a user when following conditions are all ``True``:
|
||
|
|
||
|
* user successfully validated credentials using traditional auth method
|
||
|
* user has SQRL identity associated with their account
|
||
|
* :attr:`.models.SQRLIdentity.in_only_sqrl` is ``True``
|
||
|
"""
|
||
|
|
||
|
def authenticate(self, *args, **kwargs):
|
||
|
"""
|
||
|
Same as Django's ``ModelBackend.authenticate`` except
|
||
|
this method honors ``only_sqrl`` SQRL spec.
|
||
|
"""
|
||
|
user = super(SQRLModelBackend, self).authenticate(*args, **kwargs)
|
||
|
|
||
|
if user is None:
|
||
|
return
|
||
|
|
||
|
try:
|
||
|
sqrl_identity = user.sqrl_identity
|
||
|
except SQRLIdentity.DoesNotExist:
|
||
|
return user
|
||
|
else:
|
||
|
if sqrl_identity.is_only_sqrl and sqrl_identity.is_enabled:
|
||
|
return
|
||
|
|
||
|
return user
|
||
|
|
||
|
|
||
|
SQRL_MODEL_BACKEND = '{}.{}'.format(SQRLModelBackend.__module__, SQRLModelBackend.__name__)
|