From 954522dbe12bc4e89f3ecdd5c307ce7ee667c7f8 Mon Sep 17 00:00:00 2001
From: Gautier Hayoun <ghayoun@gmail.com>
Date: Wed, 27 Jul 2022 09:02:07 +0100
Subject: [PATCH] Only validate token against chosen device (#473)

---
 tests/test_views_login.py |  5 ++---
 two_factor/forms.py       | 10 ++++++----
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/tests/test_views_login.py b/tests/test_views_login.py
index 76e98dc03..96f352253 100644
--- a/tests/test_views_login.py
+++ b/tests/test_views_login.py
@@ -258,8 +258,8 @@ def test_throttle_with_generator(self, mock_signal):
         response = self._post({'token-otp_token': totp_str(device.bin_key),
                                'login_view-current_step': 'token'})
         self.assertEqual(response.context_data['wizard']['form'].errors,
-                         {'__all__': ['Invalid token. Please make sure you '
-                                      'have entered it correctly.']})
+                         {'__all__': ['Verification temporarily disabled because '
+                                      'of 1 failed attempt, please try again soon.']})
 
     @mock.patch('two_factor.gateways.fake.Fake')
     @mock.patch('two_factor.views.core.signals.user_verified.send')
@@ -361,7 +361,6 @@ def test_with_backup_token(self, mock_signal):
 
     def test_totp_token_does_not_impact_backup_token(self):
         user = self.create_user()
-        user.totpdevice_set.create(name='default', key=random_hex())
         backup_device = user.staticdevice_set.create(name='backup')
         backup_device.token_set.create(token='abcdef123')
         totp_device = user.totpdevice_set.create(name='default', key=random_hex())
diff --git a/two_factor/forms.py b/two_factor/forms.py
index 50551fabe..71ba600c0 100644
--- a/two_factor/forms.py
+++ b/two_factor/forms.py
@@ -125,10 +125,9 @@ class AuthenticationTokenForm(OTPAuthenticationFormMixin, forms.Form):
 
     def __init__(self, user, initial_device, **kwargs):
         """
-        `initial_device` is either the user's default device, or the backup
-        device when the user chooses to enter a backup token. The token will
-        be verified against all devices, it is not limited to the given
-        device.
+        `initial_device` is either the user's default device, the challenge
+        device, or the backup device when the user chooses to enter a backup
+        token.
         """
         super().__init__(**kwargs)
         self.user = user
@@ -152,6 +151,9 @@ def __init__(self, user, initial_device, **kwargs):
                 label=label
             )
 
+    def _chosen_device(self, user):
+        return self.initial_device
+
     def clean(self):
         self.clean_otp(self.user)
         return self.cleaned_data