Warehouse: Attempting to view account settings for an account with 2FA enabled asks to reauthenticate even immediately after login
Describe the bug
After logging in, and immediately visiting the account settings page only a few seconds later, a "Confirm password to continue" page is shown.
My account has U2F 2FA enabled, in case that ends up being relevant.
Expected behavior
Immediately after login (and having provided both a password and the U2F), access should likely be enabled across any part of the site, including sensitive areas, until some timeout has elapsed.
To Reproduce
In a private window (or other place where you have not logged in), visit the home page, click log in, fill out your credentials, authenticate via U2F if applicable, then click "Account Settings" in the menu bar after logging in.
Quick video attached:
My Platform
FF80, macOS, U2F via Yubikey
Additional context
8191 seems likely related (though don't know that the behavior is new after it).
Julian
All 4 comments
Thanks for the report, I've noticed this as well. It looks like the initial login is not setting the "time to reauthenticate" in the session.
di
on 20 Aug 2020
I couldn't create this issue again
imsahil007
on 25 Aug 2020
Perhaps indeed 2FA/U2F is required to observe the behavior then?
Julian
on 25 Aug 2020
Yes, it definitely is. The record_auth_timestamp function is only called when the user doesn't have 2FA set: https://github.com/pypa/warehouse/blob/ab78391c8e69173aa878c08f88259756de1db7b4/warehouse/accounts/views.py#L200
This needs to happen here as well:
Really, since _login_user is used in both, it should happen here instead:
di
on 25 Aug 2020
Related issues
mbakke
路
3Comments
apogoreliy
路
4Comments
Lawouach
路
3Comments
LarsFronius
路
4Comments
toddrme2178
路
3Comments