Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cookie validation raises BadSignature error after major Django upgrade #686

Open
webjunkie opened this issue Dec 15, 2023 · 1 comment
Open

Comments

@webjunkie
Copy link

webjunkie commented Dec 15, 2023

Expected Behavior

After a major Django version upgrade, existing two-factor authentication cookies should continue to be valid until their expiration.

Current Behavior

After a major Django version upgrade, existing two-factor authentication cookies are invalidated due to the change in the user's password hash. This happens because Django updates the password hash on login if the hash iteration count changes with the new version. Consequently, the hash used in the two-factor authentication cookies, which relies on the user's password hash, no longer matches, causing cookie validation to fail with a BadSignature exception when using validate_remember_device_cookie directly. While views in django-two-factor-auth itself catch this exception, implementations using validate_remember_device_cookie directly might not. In our case, the user is presented with an error and no way to continue.

Possible Solution

One potential solution is to just return false on the cookie validation, as signature mismatches might not be due to malicious behavior, but also due to upgrades or even in general due to other changes in how the hashing is done.

Steps to Reproduce

  1. Implement two-factor authentication using django-two-factor-auth in a Django project.
  2. Login and generate a two-factor authentication cookie with the current Django version. Then log out.
  3. Upgrade to a newer major version of Django where the password hash iteration count changes.
  4. Log in and attempt to validate the previously generated two-factor authentication cookie using validate_remember_device_cookie.

Context

This issue leads to an inconvenient user experience, as in our case users are forced to clear their cookies after a Django upgrade. It affects the seamless usage of two-factor authentication in Django applications.

Your Environment

  • Django version: Upgrade from 3x to 4x
  • django-otp version: 1.1.4
  • django-two-factor-auth version: 1.14.0
@moggers87
Copy link
Collaborator

I don't think the current behaviour is bug. The doc string of validate_remember_device_cookie could be clearer though

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants