When clean called more than once captcha is deleted and then validation error is ensured?

[skyl]

I'm trying to shim in a captcha to this wizard: https://github.com/Bouke/django-two-factor-auth/blob/master/two_factor/views/core.py#L64

When I override the default django.contrib.auth.forms.AuthenticationForm with a subclass that has a CaptchaField added, within the context of the above wizard, I always get form validation error on the captcha field. I did some investigating and it looks like the clean method of the CaptchaField is getting called a bunch (5-10 times?) and so, it's coming back valid maybe the first time and finally, the CaptchaStore gets deleted at some point and CaptchaStore.DoesNotExist gets triggered.

As a hack, I've just overridden the clean method so that it doesn't call delete on the CaptchaStore instance. This seems to work ... idk what the security implications are yet. I'm thinking that remove_expired() will maybe do just as well.

[ziima]

Deletion is necessary part of captcha validation. Otherwise a single captcha image could be used to pass multiple forms. In my opinion, there is something wrong with the django-two-factor-auth or your application, because no form should be validated more than once.

[mbi]

@ziima that's how Django's form wizard behaves, it's per design and I'm not sure there is a proper way around it.

[ziima]

I haven't used the wizard myself, but I probably found the source of the problem in django-formtools. Anyhow IdempotentSessionWizardView seems to be able to mitigate that problem according to its description.

[mlieqo]

Same problem for me, spend almost whole day trying to figure out some kind of captcha validation caching, but in the end realized that it's probably going to be easier to switch to django-recaptcha.