django-pfx 1.4.dev14__tar.gz → 1.4.dev18__tar.gz

{django-pfx-1.4.dev14 → django-pfx-1.4.dev18}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: django-pfx
-Version: 1.4.dev14
+Version: 1.4.dev18
 Summary: Django PFX is a toolkit designed to streamline the development of RESTful APIs using the Django framework.
 Author: Hervé Martinet
 Author-email: herve.martinet@gmail.com

{django-pfx-1.4.dev14 → django-pfx-1.4.dev18}/django_pfx.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: django-pfx
-Version: 1.4.dev14
+Version: 1.4.dev18
 Summary: Django PFX is a toolkit designed to streamline the development of RESTful APIs using the Django framework.
 Author: Hervé Martinet
 Author-email: herve.martinet@gmail.com

{django-pfx-1.4.dev14 → django-pfx-1.4.dev18}/doc/conf.py

@@ -53,7 +53,8 @@ release = '1.0'
 # ones.
 extensions = ['myst_parser',
               'sphinx.ext.autodoc',
-              'sphinx.ext.autosummary']
+              'sphinx.ext.autosummary',
+              'sphinxcontrib.mermaid']
 autodoc_member_order = 'bysource'
 
 # Add any paths that contain templates here, relative to this directory.

{django-pfx-1.4.dev14 → django-pfx-1.4.dev18}/doc/source/authentication.md

@@ -48,12 +48,50 @@ To use the `CookieAuthenticationMiddleware`, you need to configure the following
 
 See the [MDN Website](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) for more details.
 
+### Multifactor Authentication
+Multifactor authentication can be enabled in django-pfx Authentication API.
+
+PFX currently provides MFA with One Time Password (OTP), compatible with FreeOTP,
+Google Authenticator and other OTP app.
+
+To enable this feature, install django-pfx with otp
+
+```bash
+pip install django-pfx[otp]
+```
+
+Then the user class must use the ```OtpUserMixin```
+
+```python
+from django.contrib.auth.models import AbstractUser
+from pfx.pfxcore.models import OtpUserMixin
+
+class MyUser(OtpUserMixin, AbstractUser):
+    pass
+```
+
+The user can then enable or disable the OTP auth using the [services documented below](#enable-mfa-otp).
+
 ## Services
 
 ### Login
 A login rest services with a `mode` parameter to choose between JWT bearer token or cookie authentication.
 In cookie mode, the JWT token is saved in an HTTP-only cookie.
 
+```{mermaid}
+
+   sequenceDiagram
+      participant App
+      participant API
+      App->>API: POST /auth/login
+      alt Authentication success
+        API->>App: 200 OK + cookie
+      else Authentication failed
+        API->>App: 401 Unautorized
+      end
+
+```
+
 **Request :** `POST` `/auth/login?mode=<mode>`
 
 **Request body:**
@@ -75,6 +113,122 @@ In cookie mode, the JWT token is saved in an HTTP-only cookie.
 | user  | the user object                        |
 
 
+### Login + TOTP
+If the user has enabled the TOTP login, the process is the same as above for the first step,
+except that the login service returns a temporary JWT token valid only for the otp services.
+
+```{mermaid}
+
+   sequenceDiagram
+      participant App
+      participant API
+      App->>API: POST /auth/login
+      alt Login success
+        API->>App: 200 OK
+        note left of API: temporary jwt token
+        App->>API: POST /auth/otp/login
+        note right of App: temporary jwt token + OTP token in body.
+        alt OTP success
+            API->>App: 200 OK
+            note left of API: JWT token in cookie or in body <br/> + user in body
+        else OTP failed
+            API->>App: 401 Unautorized
+        end
+      else Login failed
+        API->>App: 401 Unautorized
+      end
+
+```
+
+**Request :** `POST` `/auth/login?mode=<mode>`
+
+**Request body:**
+
+| Field       | Description                         |
+|-------------|-------------------------------------|
+| username    | the username                        |
+| password    | the password                        |
+| remember_me | If true, use a long validity token. |
+
+**Responses :**
+
+* `HTTP 401` if the credentials are incorrect
+* `HTTP 200` with the following body
+
+| Field | Description           |
+|-------|-----------------------|
+| token | a temporary jwt token |
+
+
+**Request :** `POST` `/auth/otp/login?mode=<mode>`
+
+**Request body:**
+
+| Field       | Description                         |
+|-------------|-------------------------------------|
+| token       | the temporary jwt token             |
+| otp         | the one time password (TOTP)        |
+
+**Responses :**
+
+* `HTTP 401` if the temporary jwt token is incorrect
+* `HTTP 403` if the otp is incorrect
+* `HTTP 200` with the following body
+
+| Field | Description                            |
+|-------|----------------------------------------|
+| token | the jwt token. (only if mode is 'jwt') |
+| user  | the user object                        |
+
+### Enable MFA OTP
+Services to enable the MFA with OTP.
+You have to call first the `activate` service to get the URI,
+encode it as a QR code and present it in the UI of your software.
+Then user then scans this QR code to add the OTP secret to his OTP App.
+Finally, the `confirm` service must be called with an OTP code retrieved
+in the OTP App to confirm the activation.
+
+**Request :** `PUT` `/auth/otp/activate`
+
+**Responses :**
+
+* `HTTP 400` if the otp is already enabled
+* `HTTP 200` with the following body
+
+| Field     | Description                           |
+|-----------|---------------------------------------|
+| setup_uri | the uri to enable the OTP application |
+
+**Request :** `PUT` `/auth/otp/confirm`
+
+**Request body:**
+
+| Field       | Description                           |
+|-------------|---------------------------------------|
+| otp_code    | the otp code retrieved in the OTP app |
+
+**Responses :**
+
+* `HTTP 422` if the otp code is invalid
+* `HTTP 200` if the otp code is valid
+
+### Disable MFA OTP
+A service to disable the MFA with OTP.
+
+**Request :** `PUT` `/auth/otp/disable`
+
+**Request body:**
+
+| Field       | Description                           |
+|-------------|---------------------------------------|
+| otp_code    | the otp code retrieved in the OTP app |
+
+**Responses :**
+
+* `HTTP 422` if the otp code is invalid
+* `HTTP 200` if the otp code is valid
+
+
 ### Logout
 A service that deletes the authentication cookie if it exists.
 

{django-pfx-1.4.dev14 → django-pfx-1.4.dev18}/pfx/pfxcore/exceptions.py

@@ -19,17 +19,17 @@ class APIError(Exception):
         return res
 
 
-class JsonErrorAPIError(APIError):
-    def __init__(self, json_error, status=422, **kwargs):
+class ModelNotFoundAPIError(APIError):
+    def __init__(self, model, status=404, **kwargs):
         super().__init__(
-            f(_("JSON Malformed {}").format(str(json_error))),
+            f(_("{model} not found."), model=model._meta.verbose_name),
             status=status, **kwargs)
 
 
-class ModelNotFoundAPIError(APIError):
-    def __init__(self, model, status=404, **kwargs):
+class JsonErrorAPIError(APIError):
+    def __init__(self, json_error, status=422, **kwargs):
         super().__init__(
-            f(_("{model} not found."), model=model._meta.verbose_name),
+            f(_("JSON Malformed {}").format(str(json_error))),
             status=status, **kwargs)
 
 
@@ -50,17 +50,17 @@ class RelatedModelNotFoundAPIError(ModelValidationAPIError):
 
 
 class AuthenticationError(APIError):
-    def __init__(self, message=None, status=401, **kwargs):
+    def __init__(self, message=None, status=422, **kwargs):
         super().__init__(
-            f(message or _("Authentication Error")),
+            f(message or _("Login failed")),
             status=status, **kwargs)
 
 
 class UnauthorizedError(APIError):
-    def __init__(self, **kwargs):
+    def __init__(self, message=None, status=401, **kwargs):
         super().__init__(
-            f(_("Unauthorized")),
-            status=401, **kwargs)
+            f(message or _("Unauthorized")),
+            status=status, **kwargs)
 
 
 class ForbiddenError(APIError):
@@ -71,7 +71,7 @@ class ForbiddenError(APIError):
 
 
 class NotFoundError(APIError):
-    def __init__(self, **kwargs):
+    def __init__(self, message=None, status=404, **kwargs):
         super().__init__(
-            f(_("Resource not found")),
-            status=404, **kwargs)
+            f(message or _("Resource not found")),
+            status=status, **kwargs)

{django-pfx-1.4.dev14 → django-pfx-1.4.dev18}/pfx/pfxcore/locale/fr/LC_MESSAGES/django.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-23 13:42+0200\n"
+"POT-Creation-Date: 2024-03-28 11:03+0100\n"
 "PO-Revision-Date: 2021-06-22 23:31+0200\n"
 "Last-Translator: \n"
 "Language-Team: \n"
@@ -18,22 +18,22 @@ msgstr ""
 "Plural-Forms: nplurals=2; plural=(n > 1);\n"
 "X-Generator: Poedit 2.3\n"
 
-#: decorator/rest.py:30
+#: decorator/rest.py:43
 msgid "An internal server error occured."
 msgstr "Une erreur interne du serveur est survenue."
 
-#: exceptions.py:25
-msgid "JSON Malformed {}"
-msgstr "JSON malformé {}"
-
-#: exceptions.py:32 exceptions.py:48
+#: exceptions.py:25 exceptions.py:48
 #, python-brace-format
 msgid "{model} not found."
 msgstr "{model} non trouvé."
 
+#: exceptions.py:32
+msgid "JSON Malformed {}"
+msgstr "JSON malformé {}"
+
 #: exceptions.py:55
-msgid "Authentication Error"
-msgstr "Erreur d'authentification"
+msgid "Login failed"
+msgstr "La connexion a échoué"
 
 #: exceptions.py:62
 msgid "Unauthorized"
@@ -44,16 +44,14 @@ msgid "Forbidden"
 msgstr "Interdit"
 
 #: exceptions.py:76
-#, fuzzy
-#| msgid "{model} not found."
 msgid "Resource not found"
-msgstr "{model} non trouvé."
+msgstr "Ressource non trouvée"
 
-#: fields.py:68
+#: fields.py:77
 msgid "Invalid value."
-msgstr ""
+msgstr "Valeur invalide."
 
-#: fields.py:83
+#: fields.py:92
 msgid ""
 "Invalid format, it can be a number in hours, “1:05”, “:05”, “1h 5m”, “1.5h” "
 "or “30m”."
@@ -61,20 +59,39 @@ msgstr ""
 "Format non valide, il peut s’agir d’un nombre en heures, « 1:05 », « :05 », "
 "« 1h 5m », « 1.5h » ou « 30m »."
 
-#: middleware/authentication.py:45 middleware/authentication.py:48
-#: middleware/authentication.py:53
-msgid "Authentication error"
-msgstr "Erreur d'authentification"
+#: models/otp_user_mixin.py:8
+msgid "OTP secret token"
+msgstr "Jeton secret OTP"
 
-#: middleware/authentication.py:50
-msgid "Token has expired"
-msgstr "Le jeton a expiré"
+#: models/otp_user_mixin.py:11
+msgid "Temporary OTP secret token"
+msgstr "Jeton secret OTP temporaire"
 
 #: models/pfx_models.py:14
 #, python-format
 msgid "%(model_name)s with this %(field_labels)s already exists."
 msgstr "%(model_name)s avec ce/cette %(field_labels)s éxiste déjà."
 
+#: shortcuts.py:52
+#, python-brace-format
+msgid "{key} must be an integer number."
+msgstr "{key} doit être un nombre entier."
+
+#: shortcuts.py:68
+#, python-brace-format
+msgid "{key} must be a number."
+msgstr "{key} doit être un nombre."
+
+#: shortcuts.py:84
+#, python-brace-format
+msgid "{key} must be a date."
+msgstr "{key} doit être une date."
+
+#: shortcuts.py:105
+#, python-brace-format
+msgid "{key} must be “true”, “false”, “1”, “0” or empty."
+msgstr "{key} doit être « true », « false », « 1 », « 0 » ou vide"
+
 #: templates/registration/password_reset_email.txt:2
 #, python-format
 msgid ""
@@ -122,19 +139,43 @@ msgstr "Bienvenue sur %(site_name)s."
 msgid "Welcome on %(site_name)s"
 msgstr "Bienvenue sur %(site_name)s"
 
-#: views/authentication_views.py:101 views/authentication_views.py:155
+#: views/authentication_views.py:221 views/authentication_views.py:378
 msgid "password updated successfully"
 msgstr "le mot de passe a été mis à jour avec succès"
 
-#: views/authentication_views.py:106
+#: views/authentication_views.py:226
 msgid "Incorrect password"
 msgstr "Mot de passe incorrect"
 
-#: views/authentication_views.py:109 views/authentication_views.py:164
+#: views/authentication_views.py:229 views/authentication_views.py:387
 msgid "Empty password is not allowed"
 msgstr "Un mot de passe vide n’est pas autorisé"
 
-#: views/authentication_views.py:268
+#: views/authentication_views.py:313
+msgid "User and token are valid"
+msgstr "L'utilisateur et le token sont valides"
+
+#: views/authentication_views.py:315
+msgid "User or token is invalid"
+msgstr "L'utilisateur ou le token est invalide"
+
+#: views/authentication_views.py:420
+msgid "OTP is already activated"
+msgstr "L'OTP est déjà activé"
+
+#: views/authentication_views.py:458
+msgid "OTP is activated"
+msgstr "L'OTP est activé"
+
+#: views/authentication_views.py:459 views/authentication_views.py:493
+msgid "Invalid OTP code"
+msgstr "Code OTP invalide"
+
+#: views/authentication_views.py:492
+msgid "OTP is disabled"
+msgstr "L'OTP est désactivé"
+
+#: views/authentication_views.py:740
 msgid ""
 "If the email address you entered is correct, you will receive an email from "
 "us with instructions to reset your password."
@@ -143,35 +184,32 @@ msgstr ""
 "un courrier électronique de notre part contenant des instructions pour "
 "réinitialiser votre mot de passe."
 
-#: views/rest_views.py:139
+#: views/filters_views.py:79
+#, python-brace-format
+msgid "Invalid value for {filter} filter"
+msgstr "Valeur invalide pour le filtre {filter}"
+
+#: views/rest_views.py:235
+#, python-brace-format
+msgid "{obj} cannot be deleted because it is referenced by other objects."
+msgstr ""
+"{obj} ne peut pas être supprimé car il est référencé par d’autres objets."
+
+#: views/rest_views.py:329
 #, python-brace-format
 msgid "{model} {obj} created."
 msgstr "{model} {obj} créé."
 
-#: views/rest_views.py:140
+#: views/rest_views.py:330
 #, python-brace-format
 msgid "{model} {obj} updated."
 msgstr "{model} {obj} modifié."
 
-#: views/rest_views.py:241
-#, python-brace-format
-msgid "Meta {meta} does not exists."
-msgstr "La meta {meta} n’éxiste pas."
-
-#: views/rest_views.py:396
+#: views/rest_views.py:1076
 #, python-brace-format
 msgid "{model} {obj} deleted."
 msgstr "{model} {obj} supprimé."
 
-#: views/rest_views.py:400
-#, python-brace-format
-msgid "{obj} cannot be deleted because it is referenced by other objects."
-msgstr ""
-"{obj} ne peut pas être supprimé car il est référencé par d’autres objets."
-
-#: views/rest_views.py:422 views/rest_views.py:432
+#: views/rest_views.py:1138 views/rest_views.py:1166
 msgid "Unexpected storage error"
 msgstr "Erreur de stockage inattendue"
-
-#~ msgid "A message has been sent"
-#~ msgstr "Un message a été envoyé"

{django-pfx-1.4.dev14 → django-pfx-1.4.dev18}/pfx/pfxcore/shortcuts.py

@@ -49,7 +49,7 @@ def get_int(data, key, default=None):
         return parse_int(data.get(key))
     except ValueError:
         from pfx.pfxcore.exceptions import APIError
-        raise APIError(f(_("{key} must be an integer value."), key=key))
+        raise APIError(f(_("{key} must be an integer number."), key=key))
 
 
 def parse_float(value):
@@ -65,7 +65,7 @@ def get_float(data, key, default=None):
         return parse_float(data.get(key))
     except ValueError:
         from pfx.pfxcore.exceptions import APIError
-        raise APIError(f(_("{key} must be an float value."), key=key))
+        raise APIError(f(_("{key} must be a number."), key=key))
 
 
 def parse_date(value):
@@ -81,7 +81,7 @@ def get_date(data, key, default=None):
         return parse_date(data.get(key))
     except ValueError:
         from pfx.pfxcore.exceptions import APIError
-        raise APIError(f(_("{key} must be a date value."), key=key))
+        raise APIError(f(_("{key} must be a date."), key=key))
 
 
 def parse_bool(value):
@@ -102,7 +102,7 @@ def get_bool(data, key, default=None):
     except ValueError:
         from pfx.pfxcore.exceptions import APIError
         raise APIError(f(
-            _("{key} must be 'true'|'false'|'1'|'0' or empty."),
+            _("{key} must be “true”, “false”, “1”, “0” or empty."),
             key=key))
 
 

{django-pfx-1.4.dev14 → django-pfx-1.4.dev18}/pfx/pfxcore/views/authentication_views.py

@@ -26,6 +26,7 @@ from pfx.pfxcore.exceptions import (
     AuthenticationError,
     ForbiddenError,
     NotFoundError,
+    UnauthorizedError,
 )
 from pfx.pfxcore.http import JsonResponse
 from pfx.pfxcore.middleware.authentication import JWTTokenDecodeMixin
@@ -64,8 +65,8 @@ class AuthenticationView(
     #: The token generator.
     token_generator = default_token_generator
 
-    def login_error_response(self):
-        """Raise the error for login error.
+    def login_failed_response(self):
+        """Return the response for login failed.
 
         Can be overridden to customize the error."""
         raise AuthenticationError()
@@ -112,7 +113,7 @@ class AuthenticationView(
                     enum: ['jwt', 'cookie']
                     default: 'jwt'
             responses:
-                401:
+                422:
                     description: The credentials are not valid.
         """
         data = self.deserialize_body()
@@ -121,7 +122,7 @@ class AuthenticationView(
         if isinstance(user, CacheableMixin):
             user.cache_delete()
         if user is None:
-            return self.login_error_response()
+            return self.login_failed_response()
         mode = self.request.GET.get('mode', 'jwt')
         remember_me = data.get('remember_me', False)
         if isinstance(user, OtpUserMixin) and user.otp_secret_token:
@@ -384,7 +385,7 @@ class AuthenticationView(
             return JsonResponse(
                 ValidationError(dict(
                     password=_("Empty password is not allowed"))), status=422)
-        raise AuthenticationError()
+        raise UnauthorizedError()
 
     @method_decorator(never_cache)
     @rest_api("/otp/activate", public=False, method="put")
@@ -518,10 +519,12 @@ class AuthenticationView(
                                     type: string
                                     description: a valid OTP code
             responses:
+                422:
+                    description: If OTP code is missing, invalid or expired.
                 401:
-                    description: If OTP code is not valid.
+                    description: If the token is missing, invalid or expired.
                 403:
-                    description: If the token is not valid or expired.
+                    description: If the OTP is disabled for this user.
 
         """
         data = self.deserialize_body()
@@ -529,13 +532,15 @@ class AuthenticationView(
             user, mode, remember_me = self.decode_jwt(
                 data.get('token'), otp_login=True)
         except Exception:
-            raise ForbiddenError()
+            raise UnauthorizedError()
         if not isinstance(user, OtpUserMixin):
             logger.error("User must inherit OtpUserMixin to activate OTP")
             raise NotFoundError()
+        if not user.otp_secret_token:
+            raise ForbiddenError()
         if user.is_otp_valid(data.get('otp_code')):
             return self._login_success(user, mode, remember_me)
-        return self.login_error_response()
+        return self.login_failed_response()
 
     def get_user(self, uidb64):
         """Get user by token

{django-pfx-1.4.dev14 → django-pfx-1.4.dev18}/requirements.txt

@@ -14,6 +14,7 @@ apispec
 sphinx
 myst-parser
 sphinx-rtd-theme
+sphinxcontrib-mermaid
 dill
 apispec
 pyyaml

{django-pfx-1.4.dev14 → django-pfx-1.4.dev18}/tests/tests/test_auth_api.py

@@ -39,12 +39,12 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
             '/api/auth/login', {
                 'username': 'jrr.tolkien',
                 'password': 'WRONG PASSWORD'})
-        self.assertRC(response, 401)
+        self.assertRC(response, 422)
 
     def test_emtpy_login(self):
         response = self.client.post(
             '/api/auth/login', {})
-        self.assertRC(response, 401)
+        self.assertRC(response, 422)
 
     @override_settings(PFX_TOKEN_SHORT_VALIDITY={'minutes': 30})
     def test_valid_login(self):
@@ -639,7 +639,6 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
                 'uidb64': 'WRONG UID',
                 'password': 'NEW PASSWORD',
             })
-
         self.assertRC(response, 401)
 
         # Then try with a valid token and uid
@@ -792,6 +791,11 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
             '/api/books')
         self.assertRC(response, 200)
 
+    def enable_otp(self, user):
+        user.otp_secret_token = pyotp.random_base32()
+        user.save()
+        return pyotp.totp.TOTP(self.user1.otp_secret_token)
+
     def test_otp_activate(self):
         self.client.login(username='jrr.tolkien', password='RIGHT PASSWORD')
 
@@ -835,8 +839,7 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
     def test_otp_activate_already_activated(self):
         self.client.login(username='jrr.tolkien', password='RIGHT PASSWORD')
 
-        self.user1.otp_secret_token = pyotp.random_base32()
-        self.user1.save()
+        self.enable_otp(self.user1)
 
         response = self.client.put('/api/auth/otp/activate')
         self.assertRC(response, 400)
@@ -845,9 +848,7 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
     def test_otp_disable(self):
         self.client.login(username='jrr.tolkien', password='RIGHT PASSWORD')
 
-        self.user1.otp_secret_token = pyotp.random_base32()
-        self.user1.save()
-        totp = pyotp.totp.TOTP(self.user1.otp_secret_token)
+        totp = self.enable_otp(self.user1)
 
         response = self.client.put('/api/auth/otp/disable', dict(
             otp_code=totp.now()))
@@ -860,8 +861,7 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
     def test_otp_disable_bad_code(self):
         self.client.login(username='jrr.tolkien', password='RIGHT PASSWORD')
 
-        self.user1.otp_secret_token = pyotp.random_base32()
-        self.user1.save()
+        self.enable_otp(self.user1)
 
         response = self.client.put('/api/auth/otp/disable', dict(
             otp_code='-'))
@@ -873,9 +873,7 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
 
     @override_settings(PFX_TOKEN_SHORT_VALIDITY={'minutes': 30})
     def test_otp_login(self):
-        self.user1.otp_secret_token = pyotp.random_base32()
-        self.user1.save()
-        totp = pyotp.totp.TOTP(self.user1.otp_secret_token)
+        totp = self.enable_otp(self.user1)
 
         with freeze_time("2023-05-01 08:00:00"):
             response = self.client.post('/api/auth/login', dict(
@@ -909,9 +907,7 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
 
     @override_settings(PFX_TOKEN_LONG_VALIDITY={'days': 1})
     def test_otp_login_remember_me(self):
-        self.user1.otp_secret_token = pyotp.random_base32()
-        self.user1.save()
-        totp = pyotp.totp.TOTP(self.user1.otp_secret_token)
+        totp = self.enable_otp(self.user1)
 
         with freeze_time("2023-05-01 08:00:00"):
             response = self.client.post('/api/auth/login', dict(
@@ -945,9 +941,7 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
                 datetime(2023, 5, 2, 8, 10))
 
     def test_otp_login_expired_token(self):
-        self.user1.otp_secret_token = pyotp.random_base32()
-        self.user1.save()
-        totp = pyotp.totp.TOTP(self.user1.otp_secret_token)
+        totp = self.enable_otp(self.user1)
 
         with freeze_time("2023-05-01 08:00:00"):
             response = self.client.post('/api/auth/login', dict(
@@ -962,12 +956,11 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
             response = self.client.post('/api/auth/otp/login', dict(
                 token=token,
                 otp_code=totp.now()))
-            self.assertRC(response, 403)
+            self.assertRC(response, 401)
 
     @override_settings(PFX_TOKEN_SHORT_VALIDITY={'minutes': 30})
     def test_otp_login_invalid_code(self):
-        self.user1.otp_secret_token = pyotp.random_base32()
-        self.user1.save()
+        self.enable_otp(self.user1)
 
         response = self.client.post('/api/auth/login', dict(
             username='jrr.tolkien',
@@ -980,12 +973,29 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
         response = self.client.post('/api/auth/otp/login', dict(
             token=token,
             otp_code='-'))
-        self.assertRC(response, 401)
+        self.assertRC(response, 422)
+
+    @override_settings(PFX_TOKEN_SHORT_VALIDITY={'minutes': 30})
+    def test_otp_login_disabled(self):
+        totp = self.enable_otp(self.user1)
+
+        response = self.client.post('/api/auth/login', dict(
+            username='jrr.tolkien',
+            password='RIGHT PASSWORD'))
+        self.assertRC(response, 200)
+        self.assertJE(response, 'need_otp', True)
+        self.assertJEExists(response, 'token')
+        token = self.get_val(response, 'token')
+
+        self.user1.disable_otp()
+
+        response = self.client.post('/api/auth/otp/login', dict(
+            token=token,
+            otp_code=totp.now()))
+        self.assertRC(response, 403)
 
     def test_otp_token_rejected(self):
-        self.user1.otp_secret_token = pyotp.random_base32()
-        self.user1.save()
-        totp = pyotp.totp.TOTP(self.user1.otp_secret_token)
+        totp = self.enable_otp(self.user1)
 
         response = self.client.post('/api/auth/login', dict(
             username='jrr.tolkien',