Only validate token against chosen device (jazzband#473)

Gautier · Jul 27, 2022 · 954522d · 954522d
1 parent 5fa50fa
commit 954522d
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 7 deletions.
diff --git a/tests/test_views_login.py b/tests/test_views_login.py
@@ -258,8 +258,8 @@ def test_throttle_with_generator(self, mock_signal):
         response = self._post({'token-otp_token': totp_str(device.bin_key),
                                'login_view-current_step': 'token'})
         self.assertEqual(response.context_data['wizard']['form'].errors,
-                         {'__all__': ['Invalid token. Please make sure you '
-                                      'have entered it correctly.']})
+                         {'__all__': ['Verification temporarily disabled because '
+                                      'of 1 failed attempt, please try again soon.']})
 
     @mock.patch('two_factor.gateways.fake.Fake')
     @mock.patch('two_factor.views.core.signals.user_verified.send')
@@ -361,7 +361,6 @@ def test_with_backup_token(self, mock_signal):
 
     def test_totp_token_does_not_impact_backup_token(self):
         user = self.create_user()
-        user.totpdevice_set.create(name='default', key=random_hex())
         backup_device = user.staticdevice_set.create(name='backup')
         backup_device.token_set.create(token='abcdef123')
         totp_device = user.totpdevice_set.create(name='default', key=random_hex())

diff --git a/two_factor/forms.py b/two_factor/forms.py
@@ -125,10 +125,9 @@ class AuthenticationTokenForm(OTPAuthenticationFormMixin, forms.Form):
 
     def __init__(self, user, initial_device, **kwargs):
         """
-        `initial_device` is either the user's default device, or the backup
-        device when the user chooses to enter a backup token. The token will
-        be verified against all devices, it is not limited to the given
-        device.
+        `initial_device` is either the user's default device, the challenge
+        device, or the backup device when the user chooses to enter a backup
+        token.
         """
         super().__init__(**kwargs)
         self.user = user
@@ -152,6 +151,9 @@ def __init__(self, user, initial_device, **kwargs):
                 label=label
             )
 
+    def _chosen_device(self, user):
+        return self.initial_device
+
     def clean(self):
         self.clean_otp(self.user)
         return self.cleaned_data