zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-07-29 22:16:33 +02:00
Code Issues Projects Releases Packages Wiki Activity

Revert "Ticket #2158: Use biometric auth instead of IAL2"

Browse source
This commit is contained in:
zandercymatics 2024-05-24 12:21:20 -06:00 committed by GitHub
parent ef4e758517
commit 84e1361208
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 48 additions and 120 deletions
Download patch file Download diff file Expand all files Collapse all files

44
src/djangooidc/views.py
View file

@ -91,21 +91,12 @@ def login_callback(request):
_initialize_client()
query = parse_qs(request.GET.urlencode())
userinfo = CLIENT.callback(query, request.session)
# test for need for identity verification and if it is satisfied
# if not satisfied, redirect user to login requiring biometric auth
# Tests for the presence of the vtm/vtr values in the userinfo object.
# If they are there, then we can set a flag in our session for tracking purposes.
needs_step_up_auth = _requires_step_up_auth(userinfo)
request.session["needs_step_up_auth"] = needs_step_up_auth
# Return a redirect request to a new auth url that does biometric validation
if needs_step_up_auth:
request.session["vtm"] = CLIENT.get_vtm_value()
request.session["vtr"] = CLIENT.get_vtr_value()
return CLIENT.create_authn_request(request.session, do_step_up_auth=True)
# if not satisfied, redirect user to login with stepped up acr_value
if _requires_step_up_auth(userinfo):
# add acr_value to request.session
request.session["acr_value"] = CLIENT.get_step_up_acr_value()
return CLIENT.create_authn_request(request.session)
user = authenticate(request=request, **userinfo)
if user:
@ -147,27 +138,14 @@ def login_callback(request):
return error_page(request, err)
def _requires_step_up_auth(userinfo) -> bool:
"""
Checks for the presence of the key 'vtm' and 'vtr' in the provided `userinfo` object.
If they are not found, then we call `User.needs_identity_verification()`.
Args:
userinfo (dict): A dictionary of data from the returned user object.
Return Conditions:
If the provided user does not exist in any tables which would preclude them from doing
biometric authentication, then we return True. Otherwise, we return False.
Alternatively, if 'vtm' and 'vtr' already exist on `userinfo`, then we return False.
"""
def _requires_step_up_auth(userinfo):
"""if User.needs_identity_verification and step_up_acr_value not in
ial returned from callback, return True"""
step_up_acr_value = CLIENT.get_step_up_acr_value()
acr_value = userinfo.get("ial", "")
uuid = userinfo.get("sub", "")
email = userinfo.get("email", "")
# This value is returned after successful auth
user_verified = userinfo.get("vot", "")
if not userinfo.get("vtm") or not userinfo.get("vtr") or not user_verified:
if acr_value != step_up_acr_value:
# The acr of this attempt is not at the highest level
# so check if the user needs the higher level
return User.needs_identity_verification(email, uuid)