Open
Description
Priority: High
Type: Security Bug
Description
The current 2FA enforcement middleware in src/myapp/middleware.py has potentially unsafe path exemptions that could allow bypassing 2FA requirements. The current implementation uses simple string prefix matching which may not account for all paths that should be protected.
Current Implementation
pythonself.exempt_urls = [
reverse("account_login"),
reverse("account_logout"),
reverse("account_email"), # Email verification page
"/admin/login/", # Admin login
"/static/", # Static files
"/media/", # Media files
"/accounts/", # Alternative path for email verification
]
def is_path_exempt(self, path: str) -> bool:
"""Check if the current path is exempt from 2FA enforcement."""
return any(path.startswith(url) for url in self.exempt_urls)Steps to Reproduce
- Configure site to require 2FA (SiteConfiguration.required_2fa = True)
- Log in as a user without 2FA enabled
- Access a URL that should be protected but contains an exempt prefix
Proposed Solution
- Implement more precise path matching using regular expressions or exact path matching
- Add unit tests to verify protection of critical paths
- Document which paths are intentionally exempt and why
- Consider implementing 2FA grace periods for new users instead of blanket exemptions
Relevant Files
src/myapp/middleware.py - Contains the Require2FAMiddleware class
src/myapp/models/__init__.py - Contains SiteConfiguration model with 2FA toggle
Additional Context
Path exemptions are necessary for basic functionality, but the current implementation is too broad. This should be addressed as a high priority since it impacts the core security model of the application.