josh/django-mfa2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: josh:Issue_37
Branches Tags
josh:master josh:black josh:dev josh:dependabot/pip/fido2-1.1.1 josh:ConditionalUI josh:v3.0 josh:MoreOptions josh:CVE-2022-42731 josh:v2.5.2 josh:v2.6.1 josh:v2.5.1 josh:recovery_codes josh:v2.6.0 josh:v2.6.0rc1 josh:v2.5b2 josh:v2.5b1 josh:fido==1.0.0 josh:v2.5 josh:ResidentKey josh:v2.4.0 josh:v2.3.0 josh:v2.2.1 josh:Better_TOTP josh:v2.2.0 josh:passwordless josh:redirect josh:Postgres josh:Issue_37 josh:TouchID_4_1.8 josh:TouchID josh:django-1.8 josh:example
josh:v2.8 josh:v2.6.1-release josh:v2.5.1-release josh:v2.6.0-release josh:v2.6rc1 josh:v2.5 josh:v2.5b1 josh:v2.4.0 josh:v2.3.0 josh:v2.2.0 josh:v2.1.0 josh:v2.1.0b1 josh:v2.0.5 josh:v2.0.3 josh:v2.0.1 josh:v2.0 josh:v1.9 josh:v1.7.11 josh:v1.6 josh:v1.3 josh:v1.1.6 josh:v1.1 josh:v1.0.4 josh:0.9
..
compare: josh:v2.2.0
Branches Tags
josh:master josh:black josh:dev josh:dependabot/pip/fido2-1.1.1 josh:ConditionalUI josh:v3.0 josh:MoreOptions josh:CVE-2022-42731 josh:v2.5.2 josh:v2.6.1 josh:v2.5.1 josh:recovery_codes josh:v2.6.0 josh:v2.6.0rc1 josh:v2.5b2 josh:v2.5b1 josh:fido==1.0.0 josh:v2.5 josh:ResidentKey josh:v2.4.0 josh:v2.3.0 josh:v2.2.1 josh:Better_TOTP josh:v2.2.0 josh:passwordless josh:redirect josh:Postgres josh:Issue_37 josh:TouchID_4_1.8 josh:TouchID josh:django-1.8 josh:example
josh:v2.8 josh:v2.6.1-release josh:v2.5.1-release josh:v2.6.0-release josh:v2.6rc1 josh:v2.5 josh:v2.5b1 josh:v2.4.0 josh:v2.3.0 josh:v2.2.0 josh:v2.1.0 josh:v2.1.0b1 josh:v2.0.5 josh:v2.0.3 josh:v2.0.1 josh:v2.0 josh:v1.9 josh:v1.7.11 josh:v1.6 josh:v1.3 josh:v1.1.6 josh:v1.1 josh:v1.0.4 josh:0.9

3 Commits
Issue_37 ... v2.2.0

Author SHA1 Message Date
Mohamed ElKalioby
7a154cfa34 Releasing v2.2.0 2021-05-30 09:24:25 +03:00
Mohamed El-Kalioby
958775418d Allowing setting the redirect url and text 2021-05-28 16:38:27 +03:00
Mohamed El-Kalioby
ef8287666c Closes #37 2021-03-02 19:44:05 +03:00
21 changed files with 93 additions and 37 deletions
Expand all files Collapse all files

6
CHANGELOG.md
View File

@@ -1,12 +1,16 @@
# Change Log # Change Log
## 2.2.0
* Added: MFA_REDIRECT_AFTER_REGISTRATION settings parameter
* Fixed: Deprecation error for NULBooleanField
## 2.1.2 ## 2.1.2
* Fixed: Getting timestamp on Python 3.7 as ("%s") is raising an exception * Fixed: Getting timestamp on Python 3.7 as ("%s") is raising an exception
* Upgraded to FIDO 0.9.1 * Upgraded to FIDO 0.9.1
## 2.1.1 ## 2.1.1
* Fixed: FIDO2 version in requirments.txt file. * Fixed: FIDO2 version in requirements.txt file.
## 2.1.0 ## 2.1.0
* Added Support for Touch ID for Mac OSx and iOS 14 on Safari * Added Support for Touch ID for Mac OSx and iOS 14 on Safari

4
README.md
View File

@@ -68,6 +68,8 @@ Depends on
MFA_UNALLOWED_METHODS=() # Methods that shouldn't be allowed for the user MFA_UNALLOWED_METHODS=() # Methods that shouldn't be allowed for the user
MFA_LOGIN_CALLBACK="" # A function that should be called by username to login the user in session MFA_LOGIN_CALLBACK="" # A function that should be called by username to login the user in session
MFA_RECHECK=True # Allow random rechecking of the user MFA_RECHECK=True # Allow random rechecking of the user
MFA_REDIRECT_AFTER_REGISTRATION="mfa_home" # Allows Changing the page after successful registeration
MFA_SUCCESS_REGISTRATION_MSG = "Go to Security Home" # The text of the link
MFA_RECHECK_MIN=10 # Minimum interval in seconds MFA_RECHECK_MIN=10 # Minimum interval in seconds
MFA_RECHECK_MAX=30 # Maximum in seconds MFA_RECHECK_MAX=30 # Maximum in seconds
MFA_QUICKLOGIN=True # Allow quick login for returning users by provide only their 2FA MFA_QUICKLOGIN=True # Allow quick login for returning users by provide only their 2FA
@@ -91,6 +93,8 @@ Depends on
**Notes**: **Notes**:
* Starting version 1.1, ~~FIDO_LOGIN_URL~~ isn't required for FIDO2 anymore. * Starting version 1.1, ~~FIDO_LOGIN_URL~~ isn't required for FIDO2 anymore.
* Starting version 1.7.0, Key owners can be specified. * Starting version 1.7.0, Key owners can be specified.
* Starting version 2.2.0
* Added: `MFA_SUCCESS_REGISTRATION_MSG` & `MFA_REDIRECT_AFTER_REGISTRATION`
1. Break your login function 1. Break your login function
Usually your login function will check for username and password, log the user in if the username and password are correct and create the user session, to support mfa, this has to change Usually your login function will check for username and password, log the user in if the username and password are correct and create the user session, to support mfa, this has to change

6
docs/change_login.md
View File

@@ -9,8 +9,8 @@ Usually your login function will check for username and password, log the user i
* if user has mfa then redirect to mfa page * if user has mfa then redirect to mfa page
* if user doesn't have mfa then call your function to create the user session * if user doesn't have mfa then call your function to create the user session
<code> ```python
def login(request): # this function handles the login form POST def login(request): # this function handles the login form POST
user = auth.authenticate(username=username, password=password) user = auth.authenticate(username=username, password=password)
if user is not None: # if the user object exist if user is not None: # if the user object exist
from mfa.helpers import has_mfa from mfa.helpers import has_mfa
@@ -19,5 +19,5 @@ Usually your login function will check for username and password, log the user i
return res return res
return log_user_in(request,username=user.username) return log_user_in(request,username=user.username)
#log_user_in is a function that handles creatung user session, it should be in the setting file as MFA_CALLBACK #log_user_in is a function that handles creatung user session, it should be in the setting file as MFA_CALLBACK
</code> ```

10
example/example/settings.py
View File

@@ -77,10 +77,8 @@ WSGI_APPLICATION = 'example.wsgi.application'
DATABASES = { DATABASES = {
'default': { 'default': {
'ENGINE': 'django.db.backends.mysql', 'ENGINE': 'django.db.backends.sqlite3',
'NAME': 'mfa', 'NAME': 'test_db',
'USER': 'root',
'PASSWORD': 'password',
} }
} }
@@ -141,7 +139,9 @@ MFA_RECHECK=True # Allow random rechecking of the user
MFA_RECHECK_MIN=10 # Minimum interval in seconds MFA_RECHECK_MIN=10 # Minimum interval in seconds
MFA_RECHECK_MAX=30 # Maximum in seconds MFA_RECHECK_MAX=30 # Maximum in seconds
MFA_QUICKLOGIN=True # Allow quick login for returning users by provide only their 2FA MFA_QUICKLOGIN=True # Allow quick login for returning users by provide only their 2FA
MFA_HIDE_DISABLE=('FIDO2',) # Can the user disable his key (Added in 1.2.0). MFA_HIDE_DISABLE=('',) # Can the user disable his key (Added in 1.2.0).
MFA_REDIRECT_AFTER_REGISTRATION="registered"
MFA_SUCCESS_REGISTRATION_MSG="Go to Home"
TOKEN_ISSUER_NAME="PROJECT_NAME" #TOTP Issuer name TOKEN_ISSUER_NAME="PROJECT_NAME" #TOTP Issuer name

3
example/example/templates/home.html
View File

@@ -12,6 +12,9 @@
</ol> </ol>
<!-- Page Content --> <!-- Page Content -->
{% if registered %}
<div class="alert alert-success">Registered Successfully</div>
{% endif %}
<h1>Welcome {{ request.user.username }}!</h1> <h1>Welcome {{ request.user.username }}!</h1>
<hr> <hr>

3
example/example/urls.py
View File

@@ -22,5 +22,6 @@ urlpatterns = [
path('auth/login',auth.loginView,name="login"), path('auth/login',auth.loginView,name="login"),
path('auth/logout',auth.logoutView,name="logout"), path('auth/logout',auth.logoutView,name="logout"),
re_path('^$',views.home,name='home') re_path('^$',views.home,name='home'),
path('registered/',views.registered,name='registered')
] ]

4
example/example/views.py
View File

@@ -5,3 +5,7 @@ from django.contrib.auth.decorators import login_required
@login_required() @login_required()
def home(request): def home(request):
return render(request,"home.html",{}) return render(request,"home.html",{})
@login_required()
def registered(request):
return render(request,"home.html",{"registered":True})

4
example/requiremnts.txt
View File

@@ -1,2 +1,2 @@
django==2.0 django >= 2.2
django-sslserver django_ssl

8
mfa/Common.py
View File

@@ -1,5 +1,9 @@
from django.conf import settings from django.conf import settings
from django.core.mail import EmailMessage from django.core.mail import EmailMessage
try:
from django.urls import reverse
except:
from django.core.urlresolver import reverse
def send(to,subject,body): def send(to,subject,body):
from_email_address = settings.EMAIL_HOST_USER from_email_address = settings.EMAIL_HOST_USER
@@ -9,3 +13,7 @@ def send(to,subject,body):
email = EmailMessage(subject,body,From,to) email = EmailMessage(subject,body,From,to)
email.content_subtype = "html" email.content_subtype = "html"
return email.send(False) return email.send(False)
def get_redirect_url():
return {"redirect_html": reverse(getattr(settings, 'MFA_REDIRECT_AFTER_REGISTRATION', 'mfa_home')),
"reg_success_msg":getattr(settings,"MFA_SUCCESS_REGISTRATION_MSG")}

10
mfa/Email.py
View File

@@ -7,7 +7,9 @@ from .models import *
#from django.template.context import RequestContext #from django.template.context import RequestContext
from .views import login from .views import login
from .Common import send from .Common import send
def sendEmail(request,username,secret): def sendEmail(request,username,secret):
"""Send Email to the user after rendering `mfa_email_token_template`"""
from django.contrib.auth import get_user_model from django.contrib.auth import get_user_model
User = get_user_model() User = get_user_model()
key = getattr(User, 'USERNAME_FIELD', 'username') key = getattr(User, 'USERNAME_FIELD', 'username')
@@ -18,9 +20,10 @@ def sendEmail(request,username,secret):
@never_cache @never_cache
def start(request): def start(request):
"""Start adding email as a 2nd factor"""
context = csrf(request) context = csrf(request)
if request.method == "POST": if request.method == "POST":
if request.session["email_secret"] == request.POST["otp"]: if request.session["email_secret"] == request.POST["otp"]: #if successful
uk=User_Keys() uk=User_Keys()
uk.username=request.user.username uk.username=request.user.username
uk.key_type="Email" uk.key_type="Email"
@@ -31,15 +34,16 @@ def start(request):
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
except: except:
from django.urls import reverse from django.urls import reverse
return HttpResponseRedirect(reverse('mfa_home')) return HttpResponseRedirect(reverse(getattr(settings,'MFA_REDIRECT_AFTER_REGISTRATION','mfa_home')))
context["invalid"] = True context["invalid"] = True
else: else:
request.session["email_secret"] = str(randint(0,100000)) request.session["email_secret"] = str(randint(0,100000)) #generate a random integer
if sendEmail(request, request.user.username, request.session["email_secret"]): if sendEmail(request, request.user.username, request.session["email_secret"]):
context["sent"] = True context["sent"] = True
return render(request,"Email/Add.html", context) return render(request,"Email/Add.html", context)
@never_cache @never_cache
def auth(request): def auth(request):
"""Authenticating the user by email."""
context=csrf(request) context=csrf(request)
if request.method=="POST": if request.method=="POST":
if request.session["email_secret"]==request.POST["otp"].strip(): if request.session["email_secret"]==request.POST["otp"].strip():

7
mfa/FIDO2.py
View File

@@ -14,10 +14,12 @@ from fido2.utils import websafe_decode, websafe_encode
from fido2.ctap2 import AttestedCredentialData from fido2.ctap2 import AttestedCredentialData
from .views import login, reset_cookie from .views import login, reset_cookie
import datetime import datetime
from .Common import get_redirect_url
from django.utils import timezone from django.utils import timezone
def recheck(request): def recheck(request):
"""Starts FIDO2 recheck"""
context = csrf(request) context = csrf(request)
context["mode"] = "recheck" context["mode"] = "recheck"
request.session["mfa_recheck"] = True request.session["mfa_recheck"] = True
@@ -25,11 +27,13 @@ def recheck(request):
def getServer(): def getServer():
"""Get Server Info from settings and returns a Fido2Server"""
rp = PublicKeyCredentialRpEntity(settings.FIDO_SERVER_ID, settings.FIDO_SERVER_NAME) rp = PublicKeyCredentialRpEntity(settings.FIDO_SERVER_ID, settings.FIDO_SERVER_NAME)
return Fido2Server(rp) return Fido2Server(rp)
def begin_registeration(request): def begin_registeration(request):
"""Starts registering a new FIDO Device, called from API"""
server = getServer() server = getServer()
registration_data, state = server.register_begin({ registration_data, state = server.register_begin({
u'id': request.user.username.encode("utf8"), u'id': request.user.username.encode("utf8"),
@@ -43,6 +47,7 @@ def begin_registeration(request):
@csrf_exempt @csrf_exempt
def complete_reg(request): def complete_reg(request):
"""Completes the registeration, called by API"""
try: try:
data = cbor.decode(request.body) data = cbor.decode(request.body)
@@ -72,7 +77,9 @@ def complete_reg(request):
def start(request): def start(request):
"""Start Registeration a new FIDO Token"""
context = csrf(request) context = csrf(request)
context.update(get_redirect_url())
return render(request, "FIDO2/Add.html", context) return render(request, "FIDO2/Add.html", context)

1
mfa/U2F.py
View File

@@ -76,6 +76,7 @@ def start(request):
request.session['_u2f_enroll_'] = enroll.json request.session['_u2f_enroll_'] = enroll.json
context=csrf(request) context=csrf(request)
context["token"]=simplejson.dumps(enroll.data_for_client) context["token"]=simplejson.dumps(enroll.data_for_client)
context.update(get_redirect_url())
return render(request,"U2F/Add.html",context) return render(request,"U2F/Add.html",context)

2
mfa/__init__.py
View File

@@ -1 +1 @@
__version__="2.1.0" __version__="2.2.0"

18
mfa/migrations/0011_auto_20210530_0622.py Normal file
View File

@@ -0,0 +1,18 @@
# Generated by Django 2.2 on 2021-05-30 06:22
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('mfa', '0010_auto_20201110_0557'),
]
operations = [
migrations.AlterField(
model_name='user_keys',
name='owned_by_enterprise',
field=models.BooleanField(blank=True, default=None, null=True),
),
]

8
mfa/models.py
View File

@@ -2,9 +2,9 @@ from django.db import models
from jsonfield import JSONField from jsonfield import JSONField
from jose import jwt from jose import jwt
from django.conf import settings from django.conf import settings
from jsonLookup import shasLookup, hasLookup #from jsonLookup import shasLookup, hasLookup
JSONField.register_lookup(shasLookup) # JSONField.register_lookup(shasLookup)
JSONField.register_lookup(hasLookup) # JSONField.register_lookup(hasLookup)
class User_Keys(models.Model): class User_Keys(models.Model):
@@ -15,7 +15,7 @@ class User_Keys(models.Model):
enabled=models.BooleanField(default=True) enabled=models.BooleanField(default=True)
expires=models.DateTimeField(null=True,default=None,blank=True) expires=models.DateTimeField(null=True,default=None,blank=True)
last_used=models.DateTimeField(null=True,default=None,blank=True) last_used=models.DateTimeField(null=True,default=None,blank=True)
owned_by_enterprise=models.NullBooleanField(default=None,null=True,blank=True) owned_by_enterprise=models.BooleanField(default=None,null=True,blank=True)
def save(self, force_insert=False, force_update=False, using=None, update_fields=None): def save(self, force_insert=False, force_update=False, using=None, update_fields=None):
if self.key_type == "Trusted Device" and self.properties.get("signature","") == "": if self.key_type == "Trusted Device" and self.properties.get("signature","") == "":

2
mfa/templates/FIDO2/Add.html
View File

@@ -32,7 +32,7 @@
}).then(function (res) }).then(function (res)
{ {
if (res["status"] =='OK') if (res["status"] =='OK')
$("#res").html("<div class='alert alert-success'>Registered Successfully, <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>") $("#res").html("<div class='alert alert-success'>Registered Successfully, <a href='{{redirect_html}}'> {{reg_success_msg}}</a></div>")
else else
$("#res").html("<div class='alert alert-danger'>Registeration Failed as " + res["message"] + ", <a href='javascript:void(0)' onclick='begin_reg()'> try again or <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>") $("#res").html("<div class='alert alert-danger'>Registeration Failed as " + res["message"] + ", <a href='javascript:void(0)' onclick='begin_reg()'> try again or <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>")

2
mfa/templates/TOTP/Add.html
View File

@@ -43,7 +43,7 @@
else else
{ {
alert("Your authenticator is added successfully.") alert("Your authenticator is added successfully.")
window.location.href="{% url 'mfa_home' %}" window.location.href="{{ redirect_html }}"
} }
} }
}) })

2
mfa/templates/U2F/Add.html
View File

@@ -24,7 +24,7 @@
if (data == "OK") if (data == "OK")
{ {
alert("Your device is added successfully.") alert("Your device is added successfully.")
window.location.href="{% url 'mfa_home' %}" window.location.href="{{ redirect_html }}"
} }
} }
}) })

3
mfa/totp.py
View File

@@ -72,4 +72,5 @@ def verify(request):
@never_cache @never_cache
def start(request): def start(request):
return render(request,"TOTP/Add.html",{}) """Start Adding Time One Time Password (TOTP)"""
return render(request,"TOTP/Add.html",get_redirect_url())

4
requirements.txt
View File

@@ -1,4 +1,4 @@
django >= 1.7 django >= 2.0
jsonfield jsonfield
simplejson simplejson
pyotp pyotp
@@ -6,5 +6,5 @@ python-u2flib-server
ua-parser ua-parser
user-agents user-agents
python-jose python-jose
fido2 == 0.9.0 fido2 == 0.9.1
jsonLookup jsonLookup

7
setup.py
View File

@@ -4,7 +4,7 @@ from setuptools import find_packages, setup
setup( setup(
name='django-mfa2', name='django-mfa2',
version='2.1.2b1', version='2.2.0',
description='Allows user to add 2FA to their accounts', description='Allows user to add 2FA to their accounts',
long_description=open("README.md").read(), long_description=open("README.md").read(),
long_description_content_type="text/markdown", long_description_content_type="text/markdown",
@@ -31,13 +31,14 @@ setup(
include_package_data=True, include_package_data=True,
zip_safe=False, # because we're including static files zip_safe=False, # because we're including static files
classifiers=[ classifiers=[
"Development Status :: 4 - Beta", "Development Status :: 5 - Production/Stable",
"Environment :: Web Environment", "Environment :: Web Environment",
"Framework :: Django", "Framework :: Django",
"Framework :: Django :: 1.11",
"Framework :: Django :: 2.0", "Framework :: Django :: 2.0",
"Framework :: Django :: 2.1", "Framework :: Django :: 2.1",
"Framework :: Django :: 2.2", "Framework :: Django :: 2.2",
"Framework :: Django :: 3.0",
"Framework :: Django :: 3.1",
"Intended Audience :: Developers", "Intended Audience :: Developers",
"Operating System :: OS Independent", "Operating System :: OS Independent",
"Programming Language :: Python", "Programming Language :: Python",