Fix broken token auth when 2FA is enabled (1.16) (#3327)

dekkers · ammar92 · underdarknl · web-flow · commit 15ef532a93df · 2024-08-07T15:34:00.000+02:00
Co-authored-by: ammar92 &lt;ammar.abdulamir@gmail.com&gt;
Co-authored-by: Jan Klopper &lt;janklopper+underdark@gmail.com&gt;
diff --git a/docs/source/manual/usermanual.rst b/docs/source/manual/usermanual.rst
@@ -246,8 +246,8 @@ After the CSV file has been uploaded the users receive a welcome email on their
  The OpenKAT team
 
 
-Token authentication
---------------------
+API token authentication
+------------------------
 
 Authentication tokens can be created in the admin interface (/admin). The token is created for an user account and will have the same permissions as the user. After creating a token it will display the newly created token once. You need to copy the token immediately, because the token are stored hashed in the database and won't be visible anymore.
 
diff --git a/rocky/rocky/middleware/auth_required.py b/rocky/rocky/middleware/auth_required.py
@@ -57,14 +57,15 @@ def middleware(request):
         # When 2fa is enabled, check if user is verified, otherwise redirect to 2fa setup page
         if (
             settings.TWOFACTOR_ENABLED
-            and not request.user.is_verified()
             and not (
                 # check if path is not in excluded list
                 request.path in excluded
                 or request.path in excluded_2fa
                 # check if path starts with anything in excluded_prefix
                 or any([request.path.startswith(prefix) for prefix in excluded_prefix])
             )
+            # This check should be after excluding /api because API users won't have `is_verified`
+            and not request.user.is_verified()
         ):
             return redirect(two_factor_setup_path)
 
diff --git a/rocky/tests/test_api.py b/rocky/tests/test_api.py
@@ -0,0 +1,13 @@
+from account.models import AuthToken
+
+
+# Regression test for https://github.com/minvws/nl-kat-coordination/issues/2872
+def test_api_2fa_enabled(client, settings, admin_user):
+    settings.TWOFACTOR_ENABLED = True
+
+    token_object = AuthToken(name="Test", user=admin_user)
+    token = token_object.generate_new_token()
+    token_object.save()
+
+    response = client.get("/api/v1/organization/", headers={"Authorization": f"Token {token}"})
+    assert response.status_code == 200
