From 87fdf3f2350b76bcbcfe47639a694c95cb371631 Mon Sep 17 00:00:00 2001 From: Julian Bez Date: Wed, 20 Dec 2023 08:23:01 +0000 Subject: [PATCH] fix(auth): Fix problem of BadSignature in django two factor auth library (#19351) Fixes #19350 Fixes POSTHOG-DJW --- posthog/api/authentication.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/posthog/api/authentication.py b/posthog/api/authentication.py index 7da0859f0d0c6..47e0e720cc68d 100644 --- a/posthog/api/authentication.py +++ b/posthog/api/authentication.py @@ -11,6 +11,7 @@ PasswordResetTokenGenerator as DefaultPasswordResetTokenGenerator, ) from django.core.exceptions import ValidationError +from django.core.signing import BadSignature from django.db import transaction from django.http import HttpRequest, HttpResponse, JsonResponse from django.shortcuts import redirect @@ -104,10 +105,15 @@ def _check_if_2fa_required(self, user: User) -> bool: # If user has a valid 2FA cookie, use that instead of showing them the 2FA screen for key, value in self.context["request"].COOKIES.items(): if key.startswith(REMEMBER_COOKIE_PREFIX) and value: - if validate_remember_device_cookie(value, user=user, otp_device_id=device.persistent_id): - user.otp_device = device # type: ignore - device.throttle_reset() - return False + try: + if validate_remember_device_cookie(value, user=user, otp_device_id=device.persistent_id): + user.otp_device = device # type: ignore + device.throttle_reset() + return False + except BadSignature: + # Workaround for signature mismatches due to Django upgrades. + # See https://github.com/PostHog/posthog/issues/19350 + pass return True def create(self, validated_data: Dict[str, str]) -> Any: