fix(mfa): WebAuthn authenticator was not recorded on 2FA login

pennersr · Sep 21, 2024 · db1d084 · db1d084
1 parent 1de29cb
commit db1d084
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 5 deletions.
diff --git a/allauth/conftest.py b/allauth/conftest.py
@@ -281,7 +281,11 @@ def passkey(user):
     authenticator = Authenticator.objects.create(
         user=user,
         type=Authenticator.Type.WEBAUTHN,
-        data={"name": "Test passkey", "passwordless": True},
+        data={
+            "name": "Test passkey",
+            "passwordless": True,
+            "credential": {},
+        },
     )
     return authenticator
 

diff --git a/allauth/headless/conftest.py b/allauth/headless/conftest.py
@@ -37,6 +37,11 @@ def force_login(self, user):
         self.session_token = self.session.session_key
         return ret
 
+    def headless_session(self):
+        from allauth.headless.internal import sessionkit
+
+        return sessionkit.session_store(self.session_token)
+
 
 @pytest.fixture
 def app_client():
@@ -46,7 +51,9 @@ def app_client():
 @pytest.fixture
 def client(headless_client):
     if headless_client == "browser":
-        return Client()
+        client = Client()
+        client.headless_session = lambda: client.session
+        return client
     return AppClient()
 
 

diff --git a/allauth/headless/mfa/tests/test_webauthn.py b/allauth/headless/mfa/tests/test_webauthn.py
@@ -4,6 +4,7 @@
 
 import pytest
 
+from allauth.account.authentication import AUTHENTICATION_METHODS_SESSION_KEY
 from allauth.headless.constants import Flow
 from allauth.mfa.models import Authenticator
 
@@ -190,6 +191,10 @@ def test_2fa_login(
     data = resp.json()
     assert resp.status_code == 200
     assert data["data"]["user"]["id"] == passkey.user_id
+    assert client.headless_session()[AUTHENTICATION_METHODS_SESSION_KEY] == [
+        {"method": "password", "at": ANY, "username": passkey.user.username},
+        {"method": "mfa", "at": ANY, "id": ANY, "type": Authenticator.Type.WEBAUTHN},
+    ]
 
 
 def test_passkey_signup(client, db, webauthn_registration_bypass, headless_reverse):

diff --git a/allauth/mfa/webauthn/forms.py b/allauth/mfa/webauthn/forms.py
@@ -4,7 +4,10 @@
 from allauth.core import context
 from allauth.mfa import app_settings
 from allauth.mfa.adapter import get_adapter
-from allauth.mfa.base.internal.flows import check_rate_limit
+from allauth.mfa.base.internal.flows import (
+    check_rate_limit,
+    post_authentication,
+)
 from allauth.mfa.models import Authenticator
 from allauth.mfa.webauthn.internal import auth, flows
 
@@ -67,6 +70,8 @@ class SignupWebAuthnForm(_BaseAddWebAuthnForm):
 
 class AuthenticateWebAuthnForm(forms.Form):
     credential = forms.JSONField(required=True, widget=forms.HiddenInput)
+    reauthenticated = False
+    passwordless = False
 
     def __init__(self, *args, **kwargs):
         self.user = kwargs.pop("user")
@@ -88,16 +93,25 @@ def clean_credential(self):
 
     def save(self):
         authenticator = self.cleaned_data["credential"]
-        authenticator.record_usage()
+        post_authentication(
+            context.request,
+            authenticator,
+            reauthenticated=self.reauthenticated,
+            passwordless=self.passwordless,
+        )
 
 
 class LoginWebAuthnForm(AuthenticateWebAuthnForm):
+    reauthenticated = False
+    passwordless = True
+
     def __init__(self, *args, **kwargs):
         super().__init__(*args, user=None, **kwargs)
 
 
 class ReauthenticateWebAuthnForm(AuthenticateWebAuthnForm):
-    pass
+    reauthenticated = True
+    passwordless = False
 
 
 class EditWebAuthnForm(forms.Form):

diff --git a/allauth/mfa/webauthn/tests/test_views.py b/allauth/mfa/webauthn/tests/test_views.py
@@ -7,6 +7,7 @@
 import pytest
 from pytest_django.asserts import assertTemplateUsed
 
+from allauth.account.authentication import AUTHENTICATION_METHODS_SESSION_KEY
 from allauth.mfa.models import Authenticator
 
 
@@ -20,6 +21,15 @@ def test_passkey_login(client, passkey, webauthn_authentication_bypass):
             reverse("mfa_login_webauthn"), data={"credential": credential}
         )
     assert resp["location"] == settings.LOGIN_REDIRECT_URL
+    assert client.session[AUTHENTICATION_METHODS_SESSION_KEY] == [
+        {
+            "at": ANY,
+            "id": ANY,
+            "method": "mfa",
+            "passwordless": True,
+            "type": "webauthn",
+        }
+    ]
 
 
 def test_reauthenticate(
@@ -169,3 +179,24 @@ def test_passkey_signup(client, db, webauthn_registration_bypass):
             reverse("mfa_signup_webauthn"), data={"credential": credential}
         )
     assert resp["location"] == settings.LOGIN_REDIRECT_URL
+
+
+def test_webauthn_login(
+    client, user_with_passkey, passkey, user_password, webauthn_authentication_bypass
+):
+    resp = client.post(
+        reverse("account_login"),
+        {"login": user_with_passkey.username, "password": user_password},
+    )
+    assert resp.status_code == 302
+    assert resp["location"] == reverse("mfa_authenticate")
+    with webauthn_authentication_bypass(passkey) as credential:
+        resp = client.get(reverse("mfa_authenticate"))
+        assert resp.status_code == 200
+        resp = client.post(reverse("mfa_authenticate"), {"credential": credential})
+    assert resp.status_code == 302
+    assert resp["location"] == settings.LOGIN_REDIRECT_URL
+    assert client.session[AUTHENTICATION_METHODS_SESSION_KEY] == [
+        {"method": "password", "at": ANY, "username": user_with_passkey.username},
+        {"method": "mfa", "at": ANY, "id": ANY, "type": Authenticator.Type.WEBAUTHN},
+    ]