2fa: disable client-login token when 2fa is enabled.

seahub/api2/serializers.py

@@ -4,7 +4,7 @@ from seahub.auth import authenticate
 from seahub.api2.models import Token, TokenV2, DESKTOP_PLATFORMS
 from seahub.api2.utils import get_token_v1, get_token_v2
 from seahub.profile.models import Profile
-from seahub.utils.two_factor_auth import HAS_TWO_FACTOR_AUTH, verify_two_factor_token
+from seahub.utils.two_factor_auth import has_two_factor_auth, verify_two_factor_token
 
 def all_none(values):
     for value in values:
@@ -82,7 +82,7 @@ class AuthTokenSerializer(serializers.Serializer):
         return token.key
 
     def _two_factor_auth(self, request, username):
-        if not HAS_TWO_FACTOR_AUTH:
+        if not has_two_factor_auth():
             return
         token = request.META.get('HTTP_X_SEAFILE_OTP', '')
         if not token:

seahub/api2/views_auth.py

@@ -10,6 +10,7 @@ from seahub.api2.authentication import TokenAuthentication
 from seahub.api2.models import Token, TokenV2
 from seahub.base.models import ClientLoginToken
 from seahub.utils import gen_token
+from seahub.utils.two_factor_auth import has_two_factor_auth, two_factor_auth_enabled
 
 class LogoutDeviceView(APIView):
     """Removes the api token of a device that has already logged in. If the device
@@ -41,6 +42,8 @@ class ClientLoginTokenView(APIView):
 
     @json_response
     def post(self, request, format=None):
+        if has_two_factor_auth() and two_factor_auth_enabled(request.user.username):
+            return {}
         randstr = gen_token(max_length=32)
         token = ClientLoginToken(randstr, request.user.username)
         token.save()

seahub/profile/views.py

@@ -22,7 +22,7 @@ from seahub.base.templatetags.seahub_tags import email2nickname
 from seahub.contacts.models import Contact
 from seahub.options.models import UserOptions, CryptoOptionNotSetError
 from seahub.utils import is_ldap_user
-from seahub.utils.two_factor_auth import HAS_TWO_FACTOR_AUTH
+from seahub.utils.two_factor_auth import has_two_factor_auth
 from seahub.views import get_owned_repo_list
 
 @login_required
@@ -75,8 +75,6 @@ def edit_profile(request):
     owned_repos = get_owned_repo_list(request)
     owned_repos = filter(lambda r: not r.is_virtual, owned_repos)
 
-    two_factor_auth_enabled = HAS_TWO_FACTOR_AUTH and config.ENABLE_TWO_FACTOR_AUTH
-
     return render_to_response('profile/set_profile.html', {
             'form': form,
             'server_crypto': server_crypto,
@@ -86,7 +84,7 @@ def edit_profile(request):
             'owned_repos': owned_repos,
             'is_pro': is_pro_version(),
             'is_ldap_user': is_ldap_user(request.user),
-            'two_factor_auth_enabled': two_factor_auth_enabled,
+            'two_factor_auth_enabled': has_two_factor_auth(),
             }, context_instance=RequestContext(request))
 
 @login_required

seahub/utils/two_factor_auth.py

@@ -1,4 +1,5 @@
 # encoding: utf-8
+from constance import config
 
 try:
     from seahub_extra.two_factor.views.login import (
@@ -12,3 +13,7 @@ except ImportError:
     handle_two_factor_auth = None
     verify_two_factor_token = None
     HAS_TWO_FACTOR_AUTH = False
+
+
+def has_two_factor_auth():
+    return HAS_TWO_FACTOR_AUTH and config.ENABLE_TWO_FACTOR_AUTH