MFA Issues #10754
Description
Multiple issues related to MFA login.
1: Enforced MFA Login
If the LOGIN_ENFORCE_MFA option is selected, the user is not correctly notified, or redirected to the MFA page.
- Login as admin user (without MFA)
- Go to the system settings page
- Enable the
LOGIN_ENFORCE_MFAsetting - Experience broken UI
The user is not logged out, however any successive API requests fail silently with 401:
However, the UI still gives appearance that the user is correctly logged in
2: ✅ Media File Access
Issues accessing media files from the app, when LOGIN_ENFORCE_MFA is active. Although the /api/ requests work OK on the app, any requests to /media/ fail - due to not meeting the strict MFA check.
3: Login Screen
A user without MFA can still log in - they are not presented with an MFA scanning option if they do not have any MFA configured. A user without MFA configured should be redirected to the MFA configuaration screen, rather than being logged in
4: ✅ Assign TOTP Codes
There seem to be issues assigning codes via TOTP in the current version. The UI just throws a generic 401 error.
This is with a "fresh" TOTP code via Google authenticator app - it should be working just fine
From the console logs
Unauthorized: /api/auth/v1/account/authenticators/totp
2025-11-03 10:36:17,494 WARNING Unauthorized: /api/auth/v1/account/authenticators/totp
5: Web Index Access
The 'index' page cannot be accessed if LOGIN_ENFORCE_MFA is enabled:
6: ✅ INVENTREE_MFA_ENABLED setting
This currently has no effect - whether enabled or disabled