ocadotechnology · faucomte97 · Oct 23, 2023 · Oct 20, 2023
diff --git a/backend/api/tests/test_views.py b/backend/api/tests/test_views.py
@@ -1,3 +1,5 @@
+import json
+import typing as t
 from unittest.mock import patch
 
 import pyotp
@@ -14,14 +16,14 @@ class TestLoginView(TestCase):
     def setUp(self):
         self.user = User.objects.get(id=2)
 
-    def _get_session_auth_factors(self, response: HttpResponse):
-        return [
-            auth_factor
-            for auth_factor in response.cookies[
-                "sessionid_httponly_false"
-            ].value.split(",")
-            if auth_factor != ""
-        ]
+    def _get_session(self, response: HttpResponse):
+        class Session(t.NamedTuple):
+            user_id: int
+            auth_factors: t.List[str]
+
+        return Session(
+            **json.loads(response.cookies["sessionid_httponly_false"].value)
+        )
 
     def test_post__otp(self):
         AuthFactor.objects.create(
@@ -38,7 +40,9 @@ def test_post__otp(self):
         )
 
         assert response.status_code == 200
-        assert self._get_session_auth_factors(response) == [AuthFactor.Type.OTP]
+        session = self._get_session(response)
+        assert session.user_id == self.user.id
+        assert session.auth_factors == [AuthFactor.Type.OTP]
 
         self.user.userprofile.otp_secret = pyotp.random_base32()
         self.user.userprofile.save()
@@ -53,7 +57,9 @@ def test_post__otp(self):
             )
 
         assert response.status_code == 200
-        assert self._get_session_auth_factors(response) == []
+        session = self._get_session(response)
+        assert session.user_id == self.user.id
+        assert session.auth_factors == []
 
 
 class TestClearExpiredView(CronTestCase):

diff --git a/backend/api/views.py b/backend/api/views.py
@@ -1,3 +1,4 @@
+import json
 import logging
 
 from codeforlife.mixins import CronMixin
@@ -25,7 +26,6 @@
 from .permissions import UserHasSessionAuthFactors
 
 
-# TODO: add 2FA logic
 class LoginView(_LoginView):
     request: HttpRequest
 
@@ -48,6 +48,7 @@ def form_valid(self, form: BaseAuthForm):
 
         # Create session (without data).
         login(self.request, form.user)
+        user = self.request.user
 
         # TODO: use google analytics
         user_session = {"user": form.user}
@@ -61,15 +62,21 @@ def form_valid(self, form: BaseAuthForm):
         # Save session (with data).
         self.request.session.save()
 
-        response = HttpResponse()
-
         # Create a non-HTTP-only session cookie with the pending auth factors.
+        response = HttpResponse()
         response.set_cookie(
             key="sessionid_httponly_false",
-            value=",".join(
-                self.request.user.session.session_auth_factors.values_list(
-                    "auth_factor__type", flat=True
-                )
+            value=json.dumps(
+                {
+                    "user_id": user.id,
+                    "auth_factors": list(
+                        user.session.session_auth_factors.values_list(
+                            "auth_factor__type", flat=True
+                        )
+                    ),
+                },
+                separators=(",", ":"),
+                indent=None,
             ),
             max_age=(
                 None