in the beginning

django_agent_trust seemed like a good shortcut for this use case. It already had secure cookie support, a feature of Django I’d never used before, plus all the convenience methods I thought I’d need.

I was able to get it working with a little extra work.

problem

The problem I ran into was that django_agent_trust validates the signed cookie only after the user is authenticated — with an authenticated user from the request object. Since I was trying to minimize changes to django_two_factor_auth, I needed to decide whether or not to show the OTP form before authentication occurs.

solution

All the tools I needed were in django_agent_trust. I pulled the methods I needed out of its middleware and into a new utils.py, adding a ‘user’ argument to load_agent(). Then I was able to check the cookie against the validated-but-not-yet-logged-in user object from django_two_factor_auth‘s LoginView class.

Now django_two_factor_auth‘s LoginView can test for agent trust in has_token_step and has_backup_step, and everything works more or less as the author predicted 11 months ago…sigh.

I think adding this trust element might make sense as an enhancement to django_two_factor_auth. Juggling hacks to all these components seems like the wrong way to do it.

later

I took a cue from the django_otp project and added agent_trust as a “plugin” to two_factor. It seems usable and maybe a little easier to digest in this form. This worked for me, but I suspect there’s a much better way to do it. Patches welcome.