It appears that when a token is disabled, it is still being checked during /validate/check call. For testing I have a user with a SPass token and a RADIUS token. I have the RADIUS token disabled. However, if I enter the proper OTP for the RADIUS token, the is_challenge_response and is_challenge_request functions of the radius token are still processed.
I’ve worked around this issue by updating the check_token_list function in token.py to remove any inactive tokens (in addition to revoked tokens). I also fixed the bug there where the removal wasn’t working at all since the loop was trying to remove an item from itself which tends to not function properly.
# Remove locked tokens from tokenobject_list if len(tokenobject_list) > 1: for tokenobject in tokenobject_list[:]: if tokenobject.is_revoked(): tokenobject_list.remove(tokenobject) elif tokenobject.is_active() is False: tokenobject_list.remove(tokenobject) if len(tokenobject_list) == 0: # If there is no unlocked/active token left. raise TokenAdminError(_("This action is not possible, since the " "tokens are locked or disabled"), id=1007)