🐞 Resend auth codes in email-otl or sms-otp doesn't work in alt-auth-…

…method (#307) (#308) Parent issue: sequentech/meta#260 Ensuring resend-auth-codes REST API works when alternative auth method id is supplied
sequentech · Sep 28, 2023 · a0f1355 · a0f1355
1 parent b582069
commit a0f1355
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 5 deletions.
diff --git a/iam/api/tests.py b/iam/api/tests.py
@@ -1664,7 +1664,7 @@ def test_register_and_resend_code(self):
         response = c.post('/api/auth-event/%d/resend_auth_code/' % self.aeid, data)
         self.assertEqual(response.status_code, 400)
         r = parse_json_response(response)
-        self.assertEqual(r['error_codename'], 'AUTH_EVENT_NOT_STARTED')
+        self.assertEqual(r['error_codename'], 'INVALID_REQUEST')
 
         # good: self.aeid.census = close but allow_user_resend = True
         self.ae.auth_method_config['config']['allow_user_resend'] = True

diff --git a/iam/api/views.py b/iam/api/views.py
@@ -35,6 +35,7 @@
 import plugins
 from authmethods import (
     auth_authenticate,
+    get_patched_auth_event,
     auth_authenticate_otl,
     auth_census,
     auth_register,
@@ -1067,18 +1068,31 @@ class ResendAuthCode(View):
 
     def post(self, request, pk):
         auth_event = get_object_or_404(AuthEvent, pk=pk)
+
+        # we need the patched auth event to account for alternative auth method
+        # when calling to function check_allow_user_resend()
+        (patched_auth_event, error) = get_patched_auth_event(auth_event, request)
+        if error is not None:
+            return json_response(
+                status=500,
+                error_codename=ErrorCodes.INTERNAL_SERVER_ERROR
+            )
+
+        # if registration is closed, check that resend auth codes is allowed
         if (
             auth_event.census == 'close' and
-            not auth_event.check_allow_user_resend()
+            not patched_auth_event.check_allow_user_resend()
         ):
             return json_response(
                 status=400,
-                error_codename="AUTH_EVENT_NOT_STARTED")
-        # registration is closed
+                error_codename="INVALID_REQUEST")
+
+        # if registration is open, check that resend auth codes is allowed and
+        # the auth event is started
         if (
             (
                 auth_event.census == 'open' or
-                auth_event.check_allow_user_resend()
+                patched_auth_event.check_allow_user_resend()
             ) and
             auth_event.status != AuthEvent.STARTED and
             auth_event.status != AuthEvent.RESUMED