josh/django-mfa2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: josh:Postgres
Branches Tags
josh:master josh:black josh:dev josh:dependabot/pip/fido2-1.1.1 josh:ConditionalUI josh:v3.0 josh:MoreOptions josh:CVE-2022-42731 josh:v2.5.2 josh:v2.6.1 josh:v2.5.1 josh:recovery_codes josh:v2.6.0 josh:v2.6.0rc1 josh:v2.5b2 josh:v2.5b1 josh:fido==1.0.0 josh:v2.5 josh:ResidentKey josh:v2.4.0 josh:v2.3.0 josh:v2.2.1 josh:Better_TOTP josh:v2.2.0 josh:passwordless josh:redirect josh:Postgres josh:Issue_37 josh:TouchID_4_1.8 josh:TouchID josh:django-1.8 josh:example
josh:v2.8 josh:v2.6.1-release josh:v2.5.1-release josh:v2.6.0-release josh:v2.6rc1 josh:v2.5 josh:v2.5b1 josh:v2.4.0 josh:v2.3.0 josh:v2.2.0 josh:v2.1.0 josh:v2.1.0b1 josh:v2.0.5 josh:v2.0.3 josh:v2.0.1 josh:v2.0 josh:v1.9 josh:v1.7.11 josh:v1.6 josh:v1.3 josh:v1.1.6 josh:v1.1 josh:v1.0.4 josh:0.9
..
compare: josh:v2.2.1
Branches Tags
josh:master josh:black josh:dev josh:dependabot/pip/fido2-1.1.1 josh:ConditionalUI josh:v3.0 josh:MoreOptions josh:CVE-2022-42731 josh:v2.5.2 josh:v2.6.1 josh:v2.5.1 josh:recovery_codes josh:v2.6.0 josh:v2.6.0rc1 josh:v2.5b2 josh:v2.5b1 josh:fido==1.0.0 josh:v2.5 josh:ResidentKey josh:v2.4.0 josh:v2.3.0 josh:v2.2.1 josh:Better_TOTP josh:v2.2.0 josh:passwordless josh:redirect josh:Postgres josh:Issue_37 josh:TouchID_4_1.8 josh:TouchID josh:django-1.8 josh:example
josh:v2.8 josh:v2.6.1-release josh:v2.5.1-release josh:v2.6.0-release josh:v2.6rc1 josh:v2.5 josh:v2.5b1 josh:v2.4.0 josh:v2.3.0 josh:v2.2.0 josh:v2.1.0 josh:v2.1.0b1 josh:v2.0.5 josh:v2.0.3 josh:v2.0.1 josh:v2.0 josh:v1.9 josh:v1.7.11 josh:v1.6 josh:v1.3 josh:v1.1.6 josh:v1.1 josh:v1.0.4 josh:0.9

7 Commits
Postgres ... v2.2.1

Author SHA1 Message Date
Mohamed El-Kalioby
3f41cff8c3 Add AndreasDickow to Contributors 2021-09-05 12:01:50 +03:00
Mohamed El-Kalioby
1c95f196fe Update CHANGELOG.md 2021-09-05 12:00:38 +03:00
Mohamed El-Kalioby
a841bde6cc Merge pull request #52 from AndreasDickow/master 2021-08-11 12:22:47 +03:00
Andreas Dickow
41b7bd2929 Fix missing import of get_redirect_url in totp and U2F 2021-08-11 11:18:12 +02:00
Mohamed El-Kalioby
6cfc4ff5d4 Fix example link 2021-06-25 10:18:53 +03:00
Mohamed ElKalioby
7a154cfa34 Releasing v2.2.0 2021-05-30 09:24:25 +03:00
Mohamed El-Kalioby
958775418d Allowing setting the redirect url and text 2021-05-28 16:38:27 +03:00
23 changed files with 107 additions and 49 deletions
Expand all files Collapse all files

8
CHANGELOG.md
View File

@@ -1,4 +1,10 @@
# Change Log
## 2.2.1
* Fixed: A missing import Thanks @AndreasDickow
## 2.2.0
* Added: MFA_REDIRECT_AFTER_REGISTRATION settings parameter
* Fixed: Deprecation error for NULBooleanField
## 2.1.2
* Fixed: Getting timestamp on Python 3.7 as ("%s") is raising an exception
@@ -6,7 +12,7 @@
## 2.1.1
* Fixed: FIDO2 version in requirments.txt file.
* Fixed: FIDO2 version in requirements.txt file.
## 2.1.0
* Added Support for Touch ID for Mac OSx and iOS 14 on Safari

7
README.md
View File

@@ -68,6 +68,8 @@ Depends on
MFA_UNALLOWED_METHODS=() # Methods that shouldn't be allowed for the user
MFA_LOGIN_CALLBACK="" # A function that should be called by username to login the user in session
MFA_RECHECK=True # Allow random rechecking of the user
MFA_REDIRECT_AFTER_REGISTRATION="mfa_home" # Allows Changing the page after successful registeration
MFA_SUCCESS_REGISTRATION_MSG = "Go to Security Home" # The text of the link
MFA_RECHECK_MIN=10 # Minimum interval in seconds
MFA_RECHECK_MAX=30 # Maximum in seconds
MFA_QUICKLOGIN=True # Allow quick login for returning users by provide only their 2FA
@@ -91,6 +93,8 @@ Depends on
**Notes**:
* Starting version 1.1, ~~FIDO_LOGIN_URL~~ isn't required for FIDO2 anymore.
* Starting version 1.7.0, Key owners can be specified.
* Starting version 2.2.0
* Added: `MFA_SUCCESS_REGISTRATION_MSG` & `MFA_REDIRECT_AFTER_REGISTRATION`
1. Break your login function
Usually your login function will check for username and password, log the user in if the username and password are correct and create the user session, to support mfa, this has to change
@@ -129,7 +133,7 @@ Depends on
1. Somewhere in your app, add a link to 'mfa_home'
```<li><a href="{% url 'mfa_home' %}">Security</a> </li>```
For Example, See https://github.com/mkalioby/AutoDeploy/commit/5f1d94b1804e0aa33c79e9e8530ce849d9eb78cc in AutDeploy Project
For Example, See 'example' app
# Going Passwordless
@@ -178,6 +182,7 @@ function some_func() {
* [swainn](https://github.com/swainn)
* [unramk](https://github.com/unramk)
* [willingham](https://github.com/willingham)
* [AndreasDickow](https://github.com/AndreasDickow)
# Security contact information

6
docs/change_login.md
View File

@@ -9,8 +9,8 @@ Usually your login function will check for username and password, log the user i
* if user has mfa then redirect to mfa page
* if user doesn't have mfa then call your function to create the user session
<code>
def login(request): # this function handles the login form POST
```python
def login(request): # this function handles the login form POST
user = auth.authenticate(username=username, password=password)
if user is not None: # if the user object exist
from mfa.helpers import has_mfa
@@ -19,5 +19,5 @@ Usually your login function will check for username and password, log the user i
return res
return log_user_in(request,username=user.username)
#log_user_in is a function that handles creatung user session, it should be in the setting file as MFA_CALLBACK
</code>
```

10
example/example/settings.py
View File

@@ -77,10 +77,8 @@ WSGI_APPLICATION = 'example.wsgi.application'
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.mysql',
'NAME': 'mfa',
'USER': 'root',
'PASSWORD': 'password',
'ENGINE': 'django.db.backends.sqlite3',
'NAME': 'test_db',
}
}
@@ -141,7 +139,9 @@ MFA_RECHECK=True # Allow random rechecking of the user
MFA_RECHECK_MIN=10 # Minimum interval in seconds
MFA_RECHECK_MAX=30 # Maximum in seconds
MFA_QUICKLOGIN=True # Allow quick login for returning users by provide only their 2FA
MFA_HIDE_DISABLE=() # Can the user disable his key (Added in 1.2.0).
MFA_HIDE_DISABLE=('',) # Can the user disable his key (Added in 1.2.0).
MFA_REDIRECT_AFTER_REGISTRATION="registered"
MFA_SUCCESS_REGISTRATION_MSG="Go to Home"
TOKEN_ISSUER_NAME="PROJECT_NAME" #TOTP Issuer name

3
example/example/templates/home.html
View File

@@ -12,6 +12,9 @@
</ol>
<!-- Page Content -->
{% if registered %}
<div class="alert alert-success">Registered Successfully</div>
{% endif %}
<h1>Welcome {{ request.user.username }}!</h1>
<hr>

5
example/example/urls.py
View File

@@ -16,13 +16,12 @@ Including another URLconf
from django.contrib import admin
from django.urls import path,re_path,include
from . import views,auth
import mfa
urlpatterns = [
path('admin/', admin.site.urls),
path('mfa/', include('mfa.urls')),
path('devices/add', mfa.TrustedDevice.add,name="mfa_add_new_trusted_device"),
path('auth/login',auth.loginView,name="login"),
path('auth/logout',auth.logoutView,name="logout"),
re_path('^$',views.home,name='home')
re_path('^$',views.home,name='home'),
path('registered/',views.registered,name='registered')
]

4
example/example/views.py
View File

@@ -5,3 +5,7 @@ from django.contrib.auth.decorators import login_required
@login_required()
def home(request):
return render(request,"home.html",{})
@login_required()
def registered(request):
return render(request,"home.html",{"registered":True})

4
example/requiremnts.txt
View File

@@ -1,2 +1,2 @@
django==2.0
django-sslserver
django >= 2.2
django_ssl

8
mfa/Common.py
View File

@@ -1,5 +1,9 @@
from django.conf import settings
from django.core.mail import EmailMessage
try:
from django.urls import reverse
except:
from django.core.urlresolver import reverse
def send(to,subject,body):
from_email_address = settings.EMAIL_HOST_USER
@@ -9,3 +13,7 @@ def send(to,subject,body):
email = EmailMessage(subject,body,From,to)
email.content_subtype = "html"
return email.send(False)
def get_redirect_url():
return {"redirect_html": reverse(getattr(settings, 'MFA_REDIRECT_AFTER_REGISTRATION', 'mfa_home')),
"reg_success_msg":getattr(settings,"MFA_SUCCESS_REGISTRATION_MSG")}

10
mfa/Email.py
View File

@@ -7,7 +7,9 @@ from .models import *
#from django.template.context import RequestContext
from .views import login
from .Common import send
def sendEmail(request,username,secret):
"""Send Email to the user after rendering `mfa_email_token_template`"""
from django.contrib.auth import get_user_model
User = get_user_model()
key = getattr(User, 'USERNAME_FIELD', 'username')
@@ -18,9 +20,10 @@ def sendEmail(request,username,secret):
@never_cache
def start(request):
"""Start adding email as a 2nd factor"""
context = csrf(request)
if request.method == "POST":
if request.session["email_secret"] == request.POST["otp"]:
if request.session["email_secret"] == request.POST["otp"]: #if successful
uk=User_Keys()
uk.username=request.user.username
uk.key_type="Email"
@@ -31,15 +34,16 @@ def start(request):
from django.core.urlresolvers import reverse
except:
from django.urls import reverse
return HttpResponseRedirect(reverse('mfa_home'))
return HttpResponseRedirect(reverse(getattr(settings,'MFA_REDIRECT_AFTER_REGISTRATION','mfa_home')))
context["invalid"] = True
else:
request.session["email_secret"] = str(randint(0,100000))
request.session["email_secret"] = str(randint(0,100000)) #generate a random integer
if sendEmail(request, request.user.username, request.session["email_secret"]):
context["sent"] = True
return render(request,"Email/Add.html", context)
@never_cache
def auth(request):
"""Authenticating the user by email."""
context=csrf(request)
if request.method=="POST":
if request.session["email_secret"]==request.POST["otp"].strip():

7
mfa/FIDO2.py
View File

@@ -14,10 +14,12 @@ from fido2.utils import websafe_decode, websafe_encode
from fido2.ctap2 import AttestedCredentialData
from .views import login, reset_cookie
import datetime
from .Common import get_redirect_url
from django.utils import timezone
def recheck(request):
"""Starts FIDO2 recheck"""
context = csrf(request)
context["mode"] = "recheck"
request.session["mfa_recheck"] = True
@@ -25,11 +27,13 @@ def recheck(request):
def getServer():
"""Get Server Info from settings and returns a Fido2Server"""
rp = PublicKeyCredentialRpEntity(settings.FIDO_SERVER_ID, settings.FIDO_SERVER_NAME)
return Fido2Server(rp)
def begin_registeration(request):
"""Starts registering a new FIDO Device, called from API"""
server = getServer()
registration_data, state = server.register_begin({
u'id': request.user.username.encode("utf8"),
@@ -43,6 +47,7 @@ def begin_registeration(request):
@csrf_exempt
def complete_reg(request):
"""Completes the registeration, called by API"""
try:
data = cbor.decode(request.body)
@@ -72,7 +77,9 @@ def complete_reg(request):
def start(request):
"""Start Registeration a new FIDO Token"""
context = csrf(request)
context.update(get_redirect_url())
return render(request, "FIDO2/Add.html", context)

9
mfa/TrustedDevice.py
View File

@@ -2,6 +2,7 @@ import string
import random
from django.shortcuts import render
from django.http import HttpResponse
from django.template.context import RequestContext
from django.template.context_processors import csrf
from .models import *
import user_agents
@@ -9,7 +10,7 @@ from django.utils import timezone
def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
x=''.join(random.choice(chars) for _ in range(size))
if not User_Keys.objects.filter(properties__icontains=x, key_type="Trusted Device").exists(): return x
if not User_Keys.objects.filter(properties__shas="$.key="+x).exists(): return x
else: return id_generator(size,chars)
def getUserAgent(request):
@@ -18,7 +19,6 @@ def getUserAgent(request):
tk=User_Keys.objects.get(id=id)
if tk.properties.get("user_agent","")!="":
ua = user_agents.parse(tk.properties["user_agent"])
print(ua.os)
res = render(None, "TrustedDevices/user-agent.html", context={"ua":ua})
return HttpResponse(res)
return HttpResponse("")
@@ -62,14 +62,13 @@ def add(request):
key=request.POST["key"].replace("-","").replace(" ","").upper()
context["username"] = request.POST["username"]
context["key"] = request.POST["key"]
trusted_keys=User_Keys.objects.filter(username=request.POST["username"],properties__iregex=rf'{key}')
trusted_keys=User_Keys.objects.filter(username=request.POST["username"],properties__has="$.key="+key)
cookie=False
if trusted_keys.exists():
tk=trusted_keys[0]
request.session["td_id"]=tk.id
ua=request.META['HTTP_USER_AGENT']
agent=user_agents.parse(ua)
print(agent.os)
if agent.is_pc:
context["invalid"]="This is a PC, it can't used as a trusted device."
else:
@@ -125,7 +124,7 @@ def verify(request):
json= jwt.decode(request.COOKIES.get('deviceid'),settings.SECRET_KEY)
if json["username"].lower()== request.session['base_username'].lower():
try:
uk = User_Keys.objects.get(username=request.POST["username"].lower(), properties__properties__iregex=rf'{json["key"]}')
uk = User_Keys.objects.get(username=request.POST["username"].lower(), properties__has="$.key=" + json["key"])
if uk.enabled and uk.properties["status"] == "trusted":
uk.last_used=timezone.now()
uk.save()

6
mfa/U2F.py
View File

@@ -12,6 +12,7 @@ from django.conf import settings
from django.http import HttpResponse
from .models import *
from .views import login
from .Common import get_redirect_url
import datetime
from django.utils import timezone
@@ -52,7 +53,7 @@ def validate(request,username):
challenge = request.session.pop('_u2f_challenge_')
device, c, t = complete_authentication(challenge, data, [settings.U2F_APPID])
key = User_Keys.objects.get(username=username,key_type = "U2F", properties__iregex=rf'{device["publicKey"]}')
key=User_Keys.objects.get(username=username,properties__shas="$.device.publicKey=%s"%device["publicKey"])
key.last_used=timezone.now()
key.save()
mfa = {"verified": True, "method": "U2F","id":key.id}
@@ -69,13 +70,14 @@ def auth(request):
request.session["_u2f_challenge_"]=s[0]
context["token"]=s[1]
return render(request,"U2F/Auth.html",context)
return render(request,"U2F/Auth.html")
def start(request):
enroll = begin_registration(settings.U2F_APPID, [])
request.session['_u2f_enroll_'] = enroll.json
context=csrf(request)
context["token"]=simplejson.dumps(enroll.data_for_client)
context.update(get_redirect_url())
return render(request,"U2F/Add.html",context)

2
mfa/__init__.py
View File

@@ -1 +1 @@
__version__="2.1.2"
__version__="2.2.0"

18
mfa/migrations/0011_auto_20210530_0622.py Normal file
View File

@@ -0,0 +1,18 @@
# Generated by Django 2.2 on 2021-05-30 06:22
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('mfa', '0010_auto_20201110_0557'),
]
operations = [
migrations.AlterField(
model_name='user_keys',
name='owned_by_enterprise',
field=models.BooleanField(blank=True, default=None, null=True),
),
]

5
mfa/models.py
View File

@@ -2,6 +2,9 @@ from django.db import models
from jsonfield import JSONField
from jose import jwt
from django.conf import settings
#from jsonLookup import shasLookup, hasLookup
# JSONField.register_lookup(shasLookup)
# JSONField.register_lookup(hasLookup)
class User_Keys(models.Model):
@@ -12,7 +15,7 @@ class User_Keys(models.Model):
enabled=models.BooleanField(default=True)
expires=models.DateTimeField(null=True,default=None,blank=True)
last_used=models.DateTimeField(null=True,default=None,blank=True)
owned_by_enterprise=models.NullBooleanField(default=None,null=True,blank=True)
owned_by_enterprise=models.BooleanField(default=None,null=True,blank=True)
def save(self, force_insert=False, force_update=False, using=None, update_fields=None):
if self.key_type == "Trusted Device" and self.properties.get("signature","") == "":

2
mfa/templates/FIDO2/Add.html
View File

@@ -32,7 +32,7 @@
}).then(function (res)
{
if (res["status"] =='OK')
$("#res").html("<div class='alert alert-success'>Registered Successfully, <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>")
$("#res").html("<div class='alert alert-success'>Registered Successfully, <a href='{{redirect_html}}'> {{reg_success_msg}}</a></div>")
else
$("#res").html("<div class='alert alert-danger'>Registeration Failed as " + res["message"] + ", <a href='javascript:void(0)' onclick='begin_reg()'> try again or <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>")

2
mfa/templates/TOTP/Add.html
View File

@@ -43,7 +43,7 @@
else
{
alert("Your authenticator is added successfully.")
window.location.href="{% url 'mfa_home' %}"
window.location.href="{{ redirect_html }}"
}
}
})

2
mfa/templates/U2F/Add.html
View File

@@ -24,7 +24,7 @@
if (data == "OK")
{
alert("Your device is added successfully.")
window.location.href="{% url 'mfa_home' %}"
window.location.href="{{ redirect_html }}"
}
}
})

4
mfa/totp.py
View File

@@ -1,6 +1,7 @@
from django.shortcuts import render
from django.views.decorators.cache import never_cache
from django.http import HttpResponse
from .Common import get_redirect_url
from .models import *
from django.template.context_processors import csrf
import simplejson
@@ -72,4 +73,5 @@ def verify(request):
@never_cache
def start(request):
return render(request,"TOTP/Add.html",{})
"""Start Adding Time One Time Password (TOTP)"""
return render(request,"TOTP/Add.html",get_redirect_url())

4
mfa/urls.py
View File

@@ -1,11 +1,10 @@
from . import views,totp,U2F,TrustedDevice,helpers,FIDO2,Email
#app_name='mfa'
try:
from django.urls import re_path as url
except:
from django.conf.urls import url
urlpatterns = [
url(r'totp/start/', totp.start , name="start_new_otop"),
url(r'totp/getToken', totp.getToken , name="get_new_otop"),
@@ -40,7 +39,6 @@ urlpatterns = [
url(r'u2f/secure_device', TrustedDevice.getCookie, name="td_securedevice"),
url(r'^$', views.index, name="mfa_home"),
url(r'devices/add$', TrustedDevice.add,name="mfa_add_new_trusted_device"),
url(r'goto/(.*)', views.goto, name="mfa_goto"),
url(r'selct_method', views.show_methods, name="mfa_methods_list"),
url(r'recheck', helpers.recheck, name="mfa_recheck"),

4
requirements.txt
View File

@@ -1,4 +1,4 @@
django >= 1.7
django >= 2.0
jsonfield
simplejson
pyotp
@@ -6,5 +6,5 @@ python-u2flib-server
ua-parser
user-agents
python-jose
fido2 == 0.9.0
fido2 == 0.9.1
jsonLookup

10
setup.py
View File

@@ -4,7 +4,7 @@ from setuptools import find_packages, setup
setup(
name='django-mfa2',
version='2.2.0b1',
version='2.2.0',
description='Allows user to add 2FA to their accounts',
long_description=open("README.md").read(),
long_description_content_type="text/markdown",
@@ -25,20 +25,20 @@ setup(
'user-agents',
'python-jose',
'fido2 == 0.9.1',
# 'jsonLookup'
'jsonLookup'
],
python_requires=">=3.5",
include_package_data=True,
zip_safe=False, # because we're including static files
classifiers=[
"Development Status :: 4 - Beta",
#"Development Status :: 5 - Production/Stable",
"Development Status :: 5 - Production/Stable",
"Environment :: Web Environment",
"Framework :: Django",
"Framework :: Django :: 1.11",
"Framework :: Django :: 2.0",
"Framework :: Django :: 2.1",
"Framework :: Django :: 2.2",
"Framework :: Django :: 3.0",
"Framework :: Django :: 3.1",
"Intended Audience :: Developers",
"Operating System :: OS Independent",
"Programming Language :: Python",