Auth Improvements (#10752) (#10761)

* Return more detail in MFA failure response

* Reject auth requests for users who are inactive

* Move markdown config out of settings.py

(cherry picked from commit 9018462)

Co-authored-by: Oliver <oliver.henry.walters@gmail.com>

Author: github-actions[bot]

src/backend/InvenTree/InvenTree/AllUserRequire2FAMiddleware.py

@@ -44,7 +44,9 @@ class AllUserRequire2FAMiddleware(MiddlewareMixin):
 
     def on_require_2fa(self, request: HttpRequest) -> HttpResponse:
         """Force user to mfa activation."""
-        return JsonResponse({'id': 'mfa_register'}, status=401)
+        return JsonResponse(
+            {'id': 'mfa_register', 'error': self.require_2fa_message}, status=401
+        )
 
     def is_allowed_page(self, request: HttpRequest) -> bool:
         """Check if the current page can be accessed without mfa."""

src/backend/InvenTree/InvenTree/setting/markdown.py

@@ -0,0 +1,44 @@
+"""Configuration options for django-markdownify.
+
+Ref: https://django-markdownify.readthedocs.io/en/latest/settings.html
+"""
+
+
+def markdownify_config():
+    """Return configuration dictionary for django-markdownify."""
+    return {
+        'default': {
+            'BLEACH': True,
+            'WHITELIST_ATTRS': ['href', 'src', 'alt'],
+            'MARKDOWN_EXTENSIONS': ['markdown.extensions.extra'],
+            'WHITELIST_TAGS': [
+                'a',
+                'abbr',
+                'b',
+                'blockquote',
+                'code',
+                'em',
+                'h1',
+                'h2',
+                'h3',
+                'h4',
+                'h5',
+                'hr',
+                'i',
+                'img',
+                'li',
+                'ol',
+                'p',
+                'pre',
+                's',
+                'strong',
+                'table',
+                'thead',
+                'tbody',
+                'th',
+                'tr',
+                'td',
+                'ul',
+            ],
+        }
+    }

src/backend/InvenTree/InvenTree/settings.py

@@ -42,7 +42,7 @@
 from users.oauth2_scopes import oauth2_scopes
 
 from . import config
-from .setting import locales, storages
+from .setting import locales, markdown, storages
 
 try:
     import django_stubs_ext
@@ -1399,42 +1399,7 @@
 # Markdownify configuration
 # Ref: https://django-markdownify.readthedocs.io/en/latest/settings.html
 
-MARKDOWNIFY = {
-    'default': {
-        'BLEACH': True,
-        'WHITELIST_ATTRS': ['href', 'src', 'alt'],
-        'MARKDOWN_EXTENSIONS': ['markdown.extensions.extra'],
-        'WHITELIST_TAGS': [
-            'a',
-            'abbr',
-            'b',
-            'blockquote',
-            'code',
-            'em',
-            'h1',
-            'h2',
-            'h3',
-            'h4',
-            'h5',
-            'hr',
-            'i',
-            'img',
-            'li',
-            'ol',
-            'p',
-            'pre',
-            's',
-            'strong',
-            'table',
-            'thead',
-            'tbody',
-            'th',
-            'tr',
-            'td',
-            'ul',
-        ],
-    }
-}
+MARKDOWNIFY = markdown.markdownify_config()
 
 # Ignore these error types for in-database error logging
 IGNORED_ERRORS = [Http404, HttpResponseGone, django.core.exceptions.PermissionDenied]

src/backend/InvenTree/InvenTree/views.py

@@ -12,6 +12,12 @@ def auth_request(request):
 
     Useful for (for example) redirecting authentication requests through django's permission framework.
     """
-    if request.user and request.user.is_authenticated:
-        return HttpResponse(status=200)
-    return HttpResponse(status=403)
+    if not request.user or not request.user.is_authenticated:
+        return HttpResponse(status=403)
+
+    if not request.user.is_active:
+        # Reject requests from inactive users
+        return HttpResponse(status=403)
+
+    # User is authenticated and active
+    return HttpResponse(status=200)