fix: resolve all linting errors in 2FA middleware

heysamtexas · claude · heysamtexas · commit 00ef439b3e16 · 2025-08-19T12:17:30.000+02:00
- Replace typing.Any with proper AbstractUser type annotation (ANN401) - Use descriptive variable name for exception handling (BLE001) - Reduce return statements in sync/async methods from 7 to 3 (PLR0911) - Extract helper methods _should_enforce_2fa() and _should_enforce_2fa_async() - Add single targeted noqa for legitimate security catch-all exception handler The broad exception catch in URL resolution is intentionally kept with noqa comment as it provides secure fallback behavior for any unexpected errors during Django's URL resolution process while properly logging details. All 58 tests pass. No functional changes to middleware behavior. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/myapp/middleware.py b/src/myapp/middleware.py
@@ -8,9 +8,12 @@
 """
 
 import logging
-from typing import Any
+from typing import TYPE_CHECKING
 
 from allauth.mfa.adapter import get_adapter as get_mfa_adapter
+
+if TYPE_CHECKING:
+    from django.contrib.auth.models import AbstractUser
 from asgiref.sync import sync_to_async
 from django.conf import settings
 from django.contrib import messages
@@ -73,7 +76,7 @@ def _is_static_request(self, request: HttpRequest) -> bool:
 
         return request.path.startswith((static_url, media_url))
 
-    def _user_has_2fa(self, user: Any) -> bool:
+    def _user_has_2fa(self, user: "AbstractUser") -> bool:
         """Check if user has 2FA enabled."""
         mfa_adapter = get_mfa_adapter()
         return mfa_adapter.is_mfa_enabled(user)
@@ -90,9 +93,9 @@ def _is_exempt_url(self, request: HttpRequest) -> bool:
                 # Can't resolve = probably 404 = let it through
                 security_logger.debug("2FA: path %s doesn't resolve, allowing", request.path)
                 return True
-            except Exception as e:
+            except Exception as resolution_error:  # noqa: BLE001
                 # Unexpected error during resolution - log and don't exempt
-                security_logger.warning("2FA: error resolving path %s: %s", request.path, str(e))
+                security_logger.warning("2FA: error resolving path %s: %s", request.path, str(resolution_error))
                 return False
 
         # Check by URL name
@@ -109,28 +112,55 @@ def _is_exempt_url(self, request: HttpRequest) -> bool:
 
         return False
 
-    # Sync version
-    def __call__(self, request: HttpRequest) -> HttpResponse:
-        """Process the request and enforce 2FA if required."""
+    def _should_enforce_2fa(self, request: HttpRequest) -> bool:
+        """Check if 2FA should be enforced for this request."""
         # Skip static/media files
         if self._is_static_request(request):
-            return self.get_response(request)
+            return False
 
         # Skip if user not authenticated
         if not request.user.is_authenticated:
-            return self.get_response(request)
+            return False
 
         # Skip exempt URLs
         if self._is_exempt_url(request):
-            return self.get_response(request)
+            return False
 
         # Check if 2FA is required by site configuration
         site_config = SiteConfiguration.objects.get()
         if not site_config.required_2fa:
-            return self.get_response(request)
+            return False
 
         # Check if user has 2FA
-        if self._user_has_2fa(request.user):
+        return not self._user_has_2fa(request.user)
+
+    async def _should_enforce_2fa_async(self, request: HttpRequest) -> bool:
+        """Async version: Check if 2FA should be enforced for this request."""
+        # Skip static/media files
+        if self._is_static_request(request):
+            return False
+
+        # Skip if user not authenticated
+        if not request.user.is_authenticated:
+            return False
+
+        # Skip exempt URLs
+        if self._is_exempt_url(request):
+            return False
+
+        # Check if 2FA is required by site configuration
+        site_config = await sync_to_async(SiteConfiguration.objects.get)()
+        if not site_config.required_2fa:
+            return False
+
+        # Check if user has 2FA
+        has_2fa = await sync_to_async(self._user_has_2fa)(request.user)
+        return not has_2fa
+
+    # Sync version
+    def __call__(self, request: HttpRequest) -> HttpResponse:
+        """Process the request and enforce 2FA if required."""
+        if not self._should_enforce_2fa(request):
             return self.get_response(request)
 
         # User needs 2FA - log and redirect
@@ -150,26 +180,7 @@ def __call__(self, request: HttpRequest) -> HttpResponse:
     # Async version
     async def __acall__(self, request: HttpRequest) -> HttpResponse:
         """Process the request and enforce 2FA if required."""
-        # Skip static/media files
-        if self._is_static_request(request):
-            return await self.get_response(request)
-
-        # Skip if user not authenticated
-        if not request.user.is_authenticated:
-            return await self.get_response(request)
-
-        # Skip exempt URLs
-        if self._is_exempt_url(request):
-            return await self.get_response(request)
-
-        # Check if 2FA is required by site configuration
-        site_config = await sync_to_async(SiteConfiguration.objects.get)()
-        if not site_config.required_2fa:
-            return await self.get_response(request)
-
-        # Check if user has 2FA
-        has_2fa = await sync_to_async(self._user_has_2fa)(request.user)
-        if has_2fa:
+        if not await self._should_enforce_2fa_async(request):
             return await self.get_response(request)
 
         # User needs 2FA - log and redirect
