Move the test for requires_step_up_auth up above the user authentication in login_callback, imlement needs_identity_verification in user model

2025-05-16 01:27:03 +02:00 · 2023-12-06 18:16:50 -05:00 · 2023-12-06 18:16:50 -05:00 · 67d20a6296
commit 67d20a6296
parent f6a288f511
2 changed files with 44 additions and 7 deletions
--- a/src/djangooidc/views.py
+++ b/src/djangooidc/views.py
@ -69,8 +69,7 @@ def login_callback(request):
    try:
        query = parse_qs(request.GET.urlencode())
        userinfo = CLIENT.callback(query, request.session)
-        user = authenticate(request=request, **userinfo)
-        if user:
+        
        # test for need for identity verification and if it is satisfied
        # if not satisfied, redirect user to login with stepped up acr_value
        if requires_step_up_auth(userinfo):
@ -78,6 +77,8 @@ def login_callback(request):
            request.session["acr_value"] = CLIENT.get_step_up_acr_value()
            return CLIENT.create_authn_request(request.session)
        
+        user = authenticate(request=request, **userinfo)
+        if user:
            login(request, user)
            logger.info("Successfully logged in user %s" % user)
            return redirect(request.session.get("next", "/"))
--- a/src/registrar/models/user.py
+++ b/src/registrar/models/user.py
@ -3,6 +3,8 @@ import logging
 from django.contrib.auth.models import AbstractUser
 from django.db import models

+from registrar.models.user_domain_role import UserDomainRole
+
 from .domain_invitation import DomainInvitation
 from .transition_domain import TransitionDomain
 from .domain import Domain
@ -66,6 +68,40 @@ class User(AbstractUser):

    @classmethod
    def needs_identity_verification(cls, email, uuid):
+        
+        logger.info('needs_identity_verification')
+        
+        try:
+            
+            existing_user = cls.objects.get(username=uuid)
+            
+             # An existing user who is a domain manager of a domain (that is, they have an entry in UserDomainRole for their User)
+            if existing_user and UserDomainRole.objects.filter(user=existing_user).exists():
+                
+                logger.info(f'Existing user email {existing_user.email}')
+                logger.info(f'User doman role email {UserDomainRole.objects.filter(user=existing_user).first().user.email}')
+                return False
+        
+        except:
+            pass
+                
+        # logger.info(f'UserDomainRole.objects.filter(user=existing_user).exists() {UserDomainRole.objects.filter(user=existing_user).exists()}')
+        logger.info('got past the existing_user get')
+                
+       
+        
+        # A new incoming user who is a domain manager for one of the domains that we inputted from Verisign (that is, their email address appears in the username field of a TransitionDomain) 
+        if TransitionDomain.objects.filter(username=email).exists():
+            logger.info('Transition user')
+            return False
+            
+        # A new incoming user who is being invited to be a domain manager (that is, their email address is in DomainInvitation for an invitation that is not yet "retrieved").
+        if DomainInvitation.objects.filter(email=email, status=DomainInvitation.INVITED):
+            logger.info('Invited user')
+            return False
+        
+        logger.info('needs_identity_verification is TRUE')
+        
        return True
    
    def check_domain_invitations_on_login(self):