josh/django-mfa2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added Enforce Recovery Method

Browse Source
This commit is contained in:
Mohamed ElKalioby
2022-09-07 11:53:26 +03:00
parent e42770e852
commit dcd962ad16
15 changed files with 124 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@@ -2,6 +2,11 @@
## 2.6.0 (dev)
* Adding Backup Recovery Codes (Recovery) as a method.
Thanks to @Spitfireap for work, and @peterthomassen for guidance.
* Added: `RECOVERY_ITERATION` to set the number of iteration when hashing recovery token
* Added: `MFA_ENFORCE_RECOVERY_METHOD` to enforce the user to enroll in the recovery code method once, they add any other method,
* Added: `MFA_ALWAYS_GO_TO_LAST_METHOD` to the settings which redirects the user automatically to the last used method when logging in
* Added: `MFA_RENAME_METHODS` to be able to rename the methods for the user.
* Fix: Alot of CSS fixes for the example application
## 2.5.0

4
README.md
View File

@@ -76,6 +76,8 @@ Depends on
MFA_RECHECK_MIN=10 # Minimum interval in seconds
MFA_RECHECK_MAX=30 # Maximum in seconds
MFA_QUICKLOGIN=True # Allow quick login for returning users by provide only their 2FA
MFA_ALWAYS_GO_TO_LAST_METHOD = False # Always redirect the user to the last method used to save a click (Added in 2.6.0).
MFA_RENAME_METHODS={} #Rename the methods in a more user-friendly way e.g {"RECOVERY":"Backup Codes"} (Added in 2.6.0)
MFA_HIDE_DISABLE=('FIDO2',) # Can the user disable his key (Added in 1.2.0).
MFA_OWNED_BY_ENTERPRISE = FALSE # Who owns security keys
PASSWORD_HASHERS = DEFAULT_PASSWORD_HASHERS #Comment if PASSWORD_HASHER already set
@@ -102,6 +104,8 @@ Depends on
* Starting version 1.7.0, Key owners can be specified.
* Starting version 2.2.0
* Added: `MFA_SUCCESS_REGISTRATION_MSG` & `MFA_REDIRECT_AFTER_REGISTRATION`
Start version 2.6.0
* Added: `MFA_ALWAYS_GO_TO_LAST_METHOD`, & `MFA_RENAME_METHODS`
4. Break your login function
Usually your login function will check for username and password, log the user in if the username and password are correct and create the user session, to support mfa, this has to change

5
example/example/settings.py
View File

@@ -143,11 +143,14 @@ MFA_QUICKLOGIN=True # Allow quick login for returning users by provide on
MFA_HIDE_DISABLE=('',) # Can the user disable his key (Added in 1.2.0).
MFA_REDIRECT_AFTER_REGISTRATION="registered"
MFA_SUCCESS_REGISTRATION_MSG="Go to Home"
MFA_ALWAYS_GO_TO_LAST_METHOD = True
MFA_ENFORCE_RECOVERY_METHOD = True
MFA_RENAME_METHODS = {"RECOVERY":"Backup Codes","FIDO2":"Biometric Authentication"}
PASSWORD_HASHERS = DEFAULT_PASSWORD_HASHERS #Comment if PASSWORD_HASHER already set
PASSWORD_HASHERS += ['mfa.recovery.Hash']
RECOVERY_ITERATION = 1 #Number of iteration for recovery code, higher is more secure, but uses more resources for generation and check...
TOKEN_ISSUER_NAME="PROJECT_NAME" #TOTP Issuer name
U2F_APPID="https://localhost" #URL For U2F
U2F_APPID="https://localhost:9000" #URL For U2F
FIDO_SERVER_ID="localhost" # Server rp id for FIDO2, it the full domain of your project
FIDO_SERVER_NAME="TestApp"

2
example/example/templates/base.html
View File

@@ -10,7 +10,7 @@
<meta name="description" content="">
<meta name="author" content="">
<title>SB Admin - Blank Page</title>
<title>Django-mfa2 Example</title>
<!-- Custom fonts for this template-->
<link href="{% static 'vendor/fontawesome-free/css/all.min.css'%}" rel="stylesheet" type="text/css">

6
mfa/Email.py
View File

@@ -34,10 +34,16 @@ def start(request):
from django.core.urlresolvers import reverse
except:
from django.urls import reverse
if getattr(settings, 'MFA_ENFORCE_RECOVERY_METHOD', False) and not User_Keys.objects.filter(
key_type="RECOVERY", username=request.user.username).exists():
request.session["mfa_reg"] = {"method": "Email",
"name": getattr(settings, "MFA_RENAME_METHODS", {}).get("Email", "Email")}
else:
return HttpResponseRedirect(reverse(getattr(settings,'MFA_REDIRECT_AFTER_REGISTRATION','mfa_home')))
context["invalid"] = True
else:
request.session["email_secret"] = str(randint(0,100000)) #generate a random integer
if sendEmail(request, request.user.username, request.session["email_secret"]):
context["sent"] = True
return render(request,"Email/Add.html", context)

8
mfa/FIDO2.py
View File

@@ -66,6 +66,10 @@ def complete_reg(request):
uk.owned_by_enterprise = getattr(settings, "MFA_OWNED_BY_ENTERPRISE", False)
uk.key_type = "FIDO2"
uk.save()
if getattr(settings, 'MFA_ENFORCE_RECOVERY_METHOD', False) and not User_Keys.objects.filter(key_type = "RECOVERY", username=request.user.username).exists():
request.session["mfa_reg"] = {"method":"FIDO2","name": getattr(settings, "MFA_RENAME_METHODS", {}).get("FIDO2", "FIDO2")}
return HttpResponse(simplejson.dumps({'status': 'RECOVERY'}))
else:
return HttpResponse(simplejson.dumps({'status': 'OK'}))
except Exception as exp:
import traceback
@@ -79,9 +83,11 @@ def complete_reg(request):
def start(request):
"""Start Registeration a new FIDO Token"""
"""Start Registration a new FIDO Token"""
context = csrf(request)
context.update(get_redirect_url())
context["method"] = {"name":getattr(settings,"MFA_RENAME_METHODS",{}).get("FIDO2","FIDO2 Security Key")}
context["RECOVERY_METHOD"]=getattr(settings,"MFA_RENAME_METHODS",{}).get("RECOVERY","Recovery codes")
return render(request, "FIDO2/Add.html", context)

19
mfa/U2F.py
View File

@@ -52,8 +52,8 @@ def validate(request,username):
challenge = request.session.pop('_u2f_challenge_')
device, c, t = complete_authentication(challenge, data, [settings.U2F_APPID])
key=User_Keys.objects.get(username=username,properties__shas="$.device.publicKey=%s"%device["publicKey"])
try:
key=User_Keys.objects.get(username=username,properties__icontains='"publicKey": "%s"'%device["publicKey"])
key.last_used=timezone.now()
key.save()
mfa = {"verified": True, "method": "U2F","id":key.id}
@@ -63,14 +63,18 @@ def validate(request,username):
seconds=random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX))))
request.session["mfa"] = mfa
return True
except:
return False
def auth(request):
context=csrf(request)
s=sign(request.session["base_username"])
request.session["_u2f_challenge_"]=s[0]
context["token"]=s[1]
return render(request,"U2F/Auth.html")
context["method"] = {"name": getattr(settings, "MFA_RENAME_METHODS", {}).get("U2F", "Classical Security Key")}
return render(request,"U2F/Auth.html",context)
def start(request):
enroll = begin_registration(settings.U2F_APPID, [])
@@ -78,6 +82,8 @@ def start(request):
context=csrf(request)
context["token"]=simplejson.dumps(enroll.data_for_client)
context.update(get_redirect_url())
context["method"] = {"name": getattr(settings, "MFA_RENAME_METHODS", {}).get("U2F", "Classical Security Key")}
context["RECOVERY_METHOD"] = getattr(settings, "MFA_RENAME_METHODS", {}).get("RECOVERY", "Recovery codes")
return render(request,"U2F/Add.html",context)
@@ -98,6 +104,11 @@ def bind(request):
uk.properties = {"device":simplejson.loads(device.json),"cert":cert_hash}
uk.key_type = "U2F"
uk.save()
if getattr(settings, 'MFA_ENFORCE_RECOVERY_METHOD', False) and not User_Keys.objects.filter(key_type="RECOVERY",
username=request.user.username).exists():
request.session["mfa_reg"] = {"method": "U2F",
"name": getattr(settings, "MFA_RENAME_METHODS", {}).get("U2F", "Classical Security Key")}
return HttpResponse('RECOVERY')
return HttpResponse("OK")
def sign(username):

7
mfa/recovery.py
View File

@@ -15,7 +15,7 @@ USER_FRIENDLY_NAME = "Recovery Codes"
class Hash(PBKDF2PasswordHasher):
algorithm = 'pbkdf2_sha256_custom'
iterations = settings.RECOVERY_ITERATION
iterations = getattr(settings,"RECOVERY_ITERATION",1)
def delTokens(request):
#Only when all MFA have been deactivated, or to generate new !
@@ -116,4 +116,7 @@ def auth(request):
@never_cache
def start(request):
"""Start Managing recovery tokens"""
return render(request,"RECOVERY/Add.html",get_redirect_url())
context = get_redirect_url()
if "mfa_reg" in request.session:
context["mfa_redirect"] = request.session["mfa_reg"]["name"]
return render(request,"RECOVERY/Add.html",context)

7
mfa/templates/FIDO2/Add.html
View File

@@ -33,6 +33,11 @@
{
if (res["status"] =='OK')
$("#res").html("<div class='alert alert-success'>Registered Successfully, <a href='{{redirect_html}}'> {{reg_success_msg}}</a></div>")
else if (res['status'] = "RECOVERY")
{
setTimeout(function (){location.href="{% url 'manage_recovery_codes' %}"},2500)
$("#res").html("<div class='alert alert-success'>Registered Successfully, but <a href='{% url 'manage_recovery_codes' %}'>redirecting to {{ RECOVERY_METHOD }} method</a></div>")
}
else
$("#res").html("<div class='alert alert-danger'>Registration Failed as " + res["message"] + ", <a href='javascript:void(0)' onclick='begin_reg()'> try again or <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>")
@@ -61,7 +66,7 @@
<div class="container">
<div class="panel panel-default card">
<div class="panel-heading card-header">
<strong> FIDO2 Security Key</strong>
<strong> Adding a New {{ method.name }}</strong>
</div>
<div class="panel-body card-body">

9
mfa/templates/RECOVERY/Add.html
View File

@@ -35,13 +35,16 @@
$.ajax({"url":"{% url 'get_recovery_token_left' %}", dataType:"JSON",
success:function (data) {
tokenLeft = data.left
let html
html = ""
{% if mfa_redirect %}
html += "<div class='alert alert-success'>You have enrolled successfully in {{ mfa_redirect }} method, please generate recovery codes so that you can use in case you lost access to all your verification methods.</div>"
{% endif %}
if (tokenLeft == 0) {
html = "<h6>You don't have any backup code left, please generate new ones !</h6>"
html += "<h6>You don't have any backup code linked to your account, please generate new ones !</h6>"
}
else {
html = "<p>You still have "+tokenLeft+" backup code left."
html += "<p>You still have "+tokenLeft+" backup code left."
}
document.getElementById('tokens').innerHTML = html
}})

31
mfa/templates/TOTP/Add.html
View File

@@ -38,13 +38,16 @@
$.ajax({
"url":"{% url 'verify_otop' %}?key="+key+ "&answer="+answer,
success:function (data) {
if (data == "Error")
alert("You entered wrong numbers, please try again")
else
if (data =='Success')
$("#res").html("<div class='alert alert-success'>Your authenticator is registered successfully, <a href='{{redirect_html}}'> {{reg_success_msg}}</a></div>")
else if (data == "RECOVERY")
{
alert("Your authenticator is added successfully.")
window.location.href="{{ redirect_html }}"
setTimeout(function (){location.href="{% url 'manage_recovery_codes' %}"},2500)
$("#res").html("<div class='alert alert-success'>Your authenticator is registered successfully, but <a href='{% url 'manage_recovery_codes' %}'>redirecting to {{ RECOVERY_METHOD }} method</a></div>")
}
else
$("#res").html("<div class='alert alert-danger'>The code provided doesn't match the key, please try again or <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>")
}
})
}
@@ -66,20 +69,23 @@
<div class="container d-flex justify-content-center">
<div class="col-md-6 col-md-offset-3" id="two-factor-steps">
<div class="row" align="center">
<h4>Adding Authenticator</h4>
<h4>Adding a new {{ method.name }}</h4>
</div>
<div class="row">
<p>Scan the image below with the two-factor authentication app on your <a href="javascript:void(0)" onclick="showTOTP()">phone/PC</a>. If you cant use a barcode,
<a href="javascript:void(0)" onclick="showKey()">enter this text</a> instead. </p>
</div>
<div id="res">
<div class="row">
</div>
<div class="row" style="text-align: center">
<div align="center" style="display: none" id="second_step">
<div align="center" style="display: none;text-align: center;align-content: center" id="second_step">
<img id="qr"/>
</div>
</div>
<div class="row">
@@ -88,16 +94,13 @@
</div>
<div class="row">
<div class="offset-md-4 col-md-4">
<input style="display: inline;width: 95%" maxlength="6" size="6" class="form-control" id="answer" placeholder="e.g 785481"/>
</div>
</div>
<div class="row" style="padding-top: 10px;">
<div class="col-md-6" style="padding-left: 0px">
<div class="col-md-4 offset-md-4" style="padding-left: 0px">
<button class="btn btn-success" onclick="verify()">Enable</button>
</div>
<div class="col-md-6" align="right" style="padding-right: 30px">
<a href="{% url 'mfa_home' %}" class="btn btn-default btn-secondary" role="button">Cancel</a>
</div>
</div>

23
mfa/templates/U2F/Add.html
View File

@@ -13,7 +13,7 @@
</style>
<script src="{% static 'mfa/js/u2f-api.js' %}" type="text/javascript"></script>
<script type="text/javascript">
$(document).ready(function addToken() {
function addToken() {
data=JSON.parse('{{ token|safe }}')
console.log(data)
u2f.register(data.appId,data.registerRequests,data.registeredKeys,function (response) {
@@ -21,15 +21,24 @@
"url":"{% url 'bind_u2f' %}",method:"POST",
data:{"csrfmiddlewaretoken":"{{ csrf_token }}","response":JSON.stringify(response)},
success:function (data) {
if (data == "OK")
if (data =='OK')
$("#res").html("<div class='alert alert-success'>Your device is registered successfully, <a href='{{redirect_html}}'> {{reg_success_msg}}</a></div>")
else if (data == "RECOVERY")
{
alert("Your device is added successfully.")
window.location.href="{{ redirect_html }}"
setTimeout(function (){location.href="{% url 'manage_recovery_codes' %}"},2500)
$("#res").html("<div class='alert alert-success'>Your device is registered successfully, but <a href='{% url 'manage_recovery_codes' %}'>redirecting to {{ RECOVERY_METHOD }} method</a></div>")
}
else
$("#res").html("<div class='alert alert-danger'>Registration failed, please <a href='javascript:void(0)' onclick='addToken()'>try again</a> or <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>")
},
error: function (data)
{
$("#res").html("<div class='alert alert-danger'>Registration failed, please <a href='javascript:void(0)' onclick='addToken()'>try again</a> or <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>")
}
})
},5000)
})
}
$(document).ready(addToken())
</script>
{% endblock %}
@@ -37,9 +46,11 @@
<br/>
<br/>
<div class="container">
<div class="col-md-6 col-md-offset-3" id="two-factor-steps">
<div id="res"></div>
<div class="row" align="center">
<h4>Adding Security Key</h4>
<h4>Adding {{ method.name}}</h4>
</div>
<div class="row">
<p style="color: green">Your secure Key should be flashing now, please press on button.</p>

2
mfa/templates/U2F/recheck.html
View File

@@ -4,7 +4,7 @@
<div class="col-sm-10 col-sm-offset-1 col-xs-12 col-md-10 col-md-offset-1 col-lg-8 col-lg-offset-2">
<div class="panel panel-default card">
<div class="panel-heading card-header">
<strong> Security Key</strong>
<strong> Verify your identity using {{ method.name }}</strong>
</div>
<div class="panel-body card-body">

11
mfa/totp.py
View File

@@ -72,10 +72,19 @@ def verify(request):
#uk.name="Authenticatior #%s"%User_Keys.objects.filter(username=user.username,type="TOTP")
uk.key_type="TOTP"
uk.save()
if getattr(settings, 'MFA_ENFORCE_RECOVERY_METHOD', False) and not User_Keys.objects.filter(key_type="RECOVERY",
username=request.user.username).exists():
request.session["mfa_reg"] = {"method": "TOTP",
"name": getattr(settings, "MFA_RENAME_METHODS", {}).get("TOTP", "TOTP")}
return HttpResponse("RECOVERY")
else:
return HttpResponse("Success")
else: return HttpResponse("Error")
@never_cache
def start(request):
"""Start Adding Time One Time Password (TOTP)"""
return render(request,"TOTP/Add.html",get_redirect_url())
context = get_redirect_url()
context["RECOVERY_METHOD"] = getattr(settings, "MFA_RENAME_METHODS", {}).get("RECOVERY", "Recovery codes")
context["method"] = {"name":getattr(settings,"MFA_RENAME_METHODS",{}).get("TOTP","Authenticator")}
return render(request,"TOTP/Add.html",context)

1
mfa/views.py
View File

@@ -48,6 +48,7 @@ def verify(request,username):
return HttpResponseRedirect(reverse(methods[0].lower()+"_auth"))
if getattr(settings,"MFA_ALWAYS_GO_TO_LAST_METHOD",False):
keys = keys.exclude(last_used__isnull=True).order_by("last_used")
if keys.count()>0:
return HttpResponseRedirect(reverse(keys[0].key_type.lower() + "_auth"))
return show_methods(request)