<div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clip

Can you try again with <a class="commit-link" data-hovercard-type="commit" data-hoverc

ValueError: u'token' is not in list in two_factor.views.utils in process_step about django-two-factor-auth HOT 12 CLOSED

jazzband commented on August 23, 2024

ValueError: u'token' is not in list in two_factor.views.utils in process_step

from django-two-factor-auth.

Comments (12)

dessibelle commented on August 23, 2024 2

I had this issue too, since my template tried to load some dynamically generated js on a URL that was not LOGIN_EXEMPT_URLS. Once I added it there it all worked fine, so glad I found this thread! I didn't try patch #65, but a clearer exception when a GET redirect invalidates the SessionWizard sounds like an ideal solution to me, as it will make a fair bit easier troubleshooting.

from django-two-factor-auth.

wadevries commented on August 23, 2024 2

I also had the problem of some js doing a request which my custom middleware redirected to the 2FA setup wizard, which reset the wizard-in-progress. I eventually fixed this in the middleware by having unverified AJAX requests return 403 (Forbidden) instead of 302'ing to the setup page.

from django-two-factor-auth.

Bouke commented on August 23, 2024

Can you try again with 3cc16f9? It might be that the changes in this commit also resolve the problem you're expressing here. If it doesn't, could you look into the conditions for this error to occur?

from django-two-factor-auth.

jmacul2 commented on August 23, 2024

I will be afk for a week, but I will try as soon as I get back. Thanks for your work! This app is great!

from django-two-factor-auth.

Bouke commented on August 23, 2024

Thanks for your feedback :). Alright, let me know if it works. Without any additional background information, this issue can't be investigated further so I'll close it. If you're running into the issue again it can be re-opened.

from django-two-factor-auth.

jmacul2 commented on August 23, 2024

I can confirm that this is still happening after upgrading to the 1.0.0-beta3 release.
I am also still getting 'AttributeError: 'bool' object has no attribute 'otp_device' randomly.

I've marked sentry pages for these errors in hopes that it will help:
https://sentry.usu.edu/networking/kcm/group/6376/
https://sentry.usu.edu/networking/kcm/group/6378/

from django-two-factor-auth.

Bouke commented on August 23, 2024

Alright, this issue needs some more investigation. I've copied the errors from the pages above, might they become unavailable in the future:

AttributeError: 'bool' object has no attribute 'otp_device'
Stacktrace (most recent call last):

  File "django/core/handlers/base.py", line 112, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "django/views/generic/base.py", line 69, in view
    return self.dispatch(request, *args, **kwargs)
  File "django/utils/decorators.py", line 29, in _wrapper
    return bound_func(*args, **kwargs)
  File "django/views/decorators/debug.py", line 75, in sensitive_post_parameters_wrapper
    return view(request, *args, **kwargs)
  File "django/utils/decorators.py", line 25, in bound_func
    return func(self, *args2, **kwargs2)
  File "django/utils/decorators.py", line 29, in _wrapper
    return bound_func(*args, **kwargs)
  File "django/views/decorators/cache.py", line 52, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "django/utils/decorators.py", line 25, in bound_func
    return func(self, *args2, **kwargs2)
  File "django/contrib/formtools/wizard/views.py", line 236, in dispatch
    response = super(WizardView, self).dispatch(request, *args, **kwargs)
  File "django/views/generic/base.py", line 87, in dispatch
    return handler(request, *args, **kwargs)
  File "two_factor/views/core.py", line 93, in post
    return super(LoginView, self).post(*args, **kwargs)
  File "two_factor/views/utils.py", line 84, in post
    return super(IdempotentSessionWizardView, self).post(*args, **kwargs)
  File "django/contrib/formtools/wizard/views.py", line 289, in post
    if form.is_valid():
  File "django/forms/forms.py", line 129, in is_valid
    return self.is_bound and not bool(self.errors)
  File "django/forms/forms.py", line 121, in errors
    self.full_clean()
  File "django/forms/forms.py", line 274, in full_clean
    self._clean_form()
  File "django/forms/forms.py", line 300, in _clean_form
    self.cleaned_data = self.clean()
  File "two_factor/forms.py", line 152, in clean
    self.clean_otp(self.user)
  File "django_otp/forms.py", line 61, in clean_otp
    user.otp_device = None

And the second error:

ValueError: u'token' is not in list
Stacktrace (most recent call last):

  File "django/core/handlers/base.py", line 112, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "django/views/generic/base.py", line 69, in view
    return self.dispatch(request, *args, **kwargs)
  File "django/utils/decorators.py", line 29, in _wrapper
    return bound_func(*args, **kwargs)
  File "django/views/decorators/debug.py", line 75, in sensitive_post_parameters_wrapper
    return view(request, *args, **kwargs)
  File "django/utils/decorators.py", line 25, in bound_func
    return func(self, *args2, **kwargs2)
  File "django/utils/decorators.py", line 29, in _wrapper
    return bound_func(*args, **kwargs)
  File "django/views/decorators/cache.py", line 52, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "django/utils/decorators.py", line 25, in bound_func
    return func(self, *args2, **kwargs2)
  File "django/contrib/formtools/wizard/views.py", line 236, in dispatch
    response = super(WizardView, self).dispatch(request, *args, **kwargs)
  File "django/views/generic/base.py", line 87, in dispatch
    return handler(request, *args, **kwargs)
  File "build/bdist.linux-x86_64/egg/two_factor/views/core.py", line 93, in post
    return super(LoginView, self).post(*args, **kwargs)
  File "build/bdist.linux-x86_64/egg/two_factor/views/utils.py", line 84, in post
    return super(IdempotentSessionWizardView, self).post(*args, **kwargs)
  File "django/contrib/formtools/wizard/views.py", line 291, in post
    self.storage.set_step_data(self.steps.current, self.process_step(form))
  File "build/bdist.linux-x86_64/egg/two_factor/views/utils.py", line 106, in process_step
    key = keys.index(step) + 1

from django-two-factor-auth.

vail130 commented on August 23, 2024

I've been getting the same error (AttributeError: 'bool' object has no attribute 'otp_device') in Chrome but not in Firefox. Not sure why (yet), but hopefully that helps.

from django-two-factor-auth.

Bouke commented on August 23, 2024

I tried investigating this issue, but I cannot reproduce it. Unless steps to reproduce are provided, I think there is not much to be done here.

from django-two-factor-auth.

rsniezynski commented on August 23, 2024

I also was getting the "AttributeError: 'bool' object has no attribute 'otp_device'" error. Only in Chrome (every time), in Firefox it worked fine.
The reason was that Chrome performs additional request for favicon.ico after submitting the auth form, and the favicon URL went through login-requiring middleware by mistake. This reset the flow. Hope this helps.

from django-two-factor-auth.

Bouke commented on August 23, 2024

Alright, thanks for the pointer. To reproduce, place the code below before </body> in the example _base.html template. This will produce said error in both Chrome and Safari.

<img src="/secret/?{% now "c" %}" />

The bug is that there's a request being made to some URL requiring authentication. That view will return a 302 redirect to the login view. This will result in a GET request to the login view. The WizardView being used for the LoginView then does the following:

def get(self, request, *args, **kwargs):
    """
    This method handles GET requests.

    If a GET request reaches this point, the wizard assumes that the user
    just starts at the first step or wants to restart the process.
    The data of the wizard will be resetted before rendering the first step.
    """
    self.storage.reset()

    # reset the current step to the first step.
    self.storage.current_step = self.steps.first
    return self.render(self.get_form())

The data of the wizard will be resetted before rendering the first step.

The solution for now would be to examine which URLs are being called from the login view, and make sure those don't require authentication. I'll investigate how to nicely handle this situation, without throwing an exception.

from django-two-factor-auth.

Bouke commented on August 23, 2024

For those having this issue, please try the patch above. Although it doesn't solve the root cause, it should solve exceptions being thrown. Solving the root cause will be harder, as the SessionWizard resets its data when called on GET. This might be desirable for most situations, it causes a problem when a URL is called that redirects to the login view. On the other hand, implementers should not include URLs in the login view that require authentication. Anyway, the warning message below is logged when the user encounters this situation.

Requested step 'token' is no longer valid, returning to last valid step in the wizard.

from django-two-factor-auth.

ValueError: u'token' is not in list in two_factor.views.utils in process_step about django-two-factor-auth HOT 12 CLOSED

Comments (12)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent