Upgraded to version 2.0

Two Fixes to Make Email Method More Robust

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Change Log
 
+## 2.0
+  * Dropped support to djangp-1.8 and Python 2.7
+  * Added: never-cache decorator
+  * Fixes to Make Email Method More Robust 
+  * Addresses several structure and style issues with TOTP and Email dialogs
+  * Updated to fido2 0.8.1
+    
+Thanks to @swainn
+
 ## v1.9.1
    * Fixed: is_authenticated #13
    * Fixed: is_anonymous #6

README.md

@@ -53,7 +53,7 @@ Depends on
    MFA_RECHECK_MAX=30         # Maximum in seconds
    MFA_QUICKLOGIN=True        # Allow quick login for returning users by provide only their 2FA
    MFA_HIDE_DISABLE=('FIDO2',)     # Can the user disable his key (Added in 1.2.0).
-   MFA_OWNED_BY_ENTERPRISE = FALSE  # Who ownes security keys   
+   MFA_OWNED_BY_ENTERPRISE = FALSE  # Who owns security keys   
 
    TOKEN_ISSUER_NAME="PROJECT_NAME"      #TOTP Issuer name
 
@@ -156,3 +156,5 @@ function some_func() {
 # Contributors
 * [mahmoodnasr](https://github.com/mahmoodnasr)
 * [d3cline](https://github.com/d3cline)
+* [swainn](https://github.com/swainn)
+* [unramk](https://github.com/unramk)

mfa/Common.py

@@ -2,7 +2,10 @@ from django.conf import settings
 from django.core.mail import EmailMessage
 
 def send(to,subject,body):
-    From = "%s <%s>" % (settings.EMAIL_FROM, settings.EMAIL_HOST_USER)
+    from_email_address = settings.EMAIL_HOST_USER
+    if '@' not in from_email_address:
+        from_email_address = settings.DEFAULT_FROM_EMAIL
+    From = "%s <%s>" % (settings.EMAIL_FROM, from_email_address)
     email = EmailMessage(subject,body,From,to)
     email.content_subtype = "html"
     return email.send(False)

mfa/Email.py

@@ -1,4 +1,5 @@
 from django.shortcuts import render
+from django.views.decorators.cache import never_cache
 from django.template.context_processors import csrf
 import datetime,random
 from random import randint
@@ -13,8 +14,9 @@ def sendEmail(request,username,secret):
     kwargs = {key: username}
     user = User.objects.get(**kwargs)
     res=render(request,"mfa_email_token_template.html",{"request":request,"user":user,'otp':secret})
-    return  send([user.email],"OTP", str(res.content))
+    return send([user.email],"OTP", res.content.decode())
 
+@never_cache
 def start(request):
     context = csrf(request)
     if request.method == "POST":
@@ -36,6 +38,7 @@ def start(request):
         if sendEmail(request, request.user.username, request.session["email_secret"]):
             context["sent"] = True
     return render(request,"Email/Add.html", context)
+@never_cache
 def auth(request):
     context=csrf(request)
     if request.method=="POST":

mfa/FIDO2.py

@@ -1,5 +1,5 @@
 from fido2.client import ClientData
-from fido2.server import Fido2Server, RelyingParty
+from fido2.server import Fido2Server, PublicKeyCredentialRpEntity
 from fido2.ctap2 import AttestationObject, AuthenticatorData
 from django.template.context_processors import csrf
 from django.views.decorators.csrf import csrf_exempt
@@ -24,7 +24,7 @@ def recheck(request):
 
 
 def getServer():
-    rp = RelyingParty(settings.FIDO_SERVER_ID, settings.FIDO_SERVER_NAME)
+    rp = PublicKeyCredentialRpEntity(settings.FIDO_SERVER_ID, settings.FIDO_SERVER_NAME)
     return Fido2Server(rp)
 def begin_registeration(request):
     server = getServer()

mfa/migrations/0009_user_keys_owned_by_enterprise.py

@@ -16,5 +16,5 @@ class Migration(migrations.Migration):
             name='owned_by_enterprise',
             field=models.NullBooleanField(default=None),
         ),
-        migrations.RunSQL("update mfa_user_keys set owned_by_enterprise = %s where key_type='FIDO2'"%(True if getattr(settings,"MFA_OWNED_BY_ENTERPRISE",False) else False ))
+        migrations.RunSQL("update mfa_user_keys set owned_by_enterprise = %s where key_type='FIDO2'"%(1 if getattr(settings,"MFA_OWNED_BY_ENTERPRISE",False) else 0 ))
     ]

mfa/templates/Email/Add.html

@@ -2,54 +2,50 @@
 {% block head %}
 {% endblock %}
 {% block content %}
-    <br/>
+<br/>
-    <br/>
+<br/>
-
+<div class="container">
-    <div class="panel panel-default">
+  <div class="panel panel-default">
-      <div class="panel-heading">
+    <div class="panel-heading">
-	      <strong> Activate Token by email</strong>
+      <strong> Activate Token by email</strong>
-      </div>
+    </div>
-      <div class="panel-body">
+    <div class="panel-body">
-
       <FORM METHOD="POST" ACTION="{% url 'start_email' %}" Id="formLogin"  onSubmit="" name="FrontPage_Form1">
-
+        {% csrf_token %}
-
+        {%  if invalid %}
-      {% csrf_token %}
+        <div class="alert alert-danger">
-          {%  if invalid %}
+          Sorry, The provided token is not valid.
-          <div class="alert alert-danger">
+        </div>
-              Sorry, The provided token is not valid.
+        {% endif %}
+        {% if quota %}
+        <div class="alert alert-warning">
+          {{ quota }}
+        </div>
+        {% endif %}
+        <fieldset>
+          <div class="row">
+            <div class="col-sm-12 col-md-12">
+              <p>Enter the code sent to your email.</p>
+            </div>
           </div>
-          {% endif %}
+          <div class="row">
-      {% if quota %}
+            <div class="col-sm-12 col-md-12">
-          <div class="alert alert-warning">
+              <div class="form-group">
-              {{ quota }}
+                <div class="input-group">
+                  <span class="input-group-addon">
+                  <i class="glyphicon glyphicon-lock"></i>
+                  </span>
+                  <input class="form-control" size="6" MaxLength="6" value="" placeholder="e.g 55552" name="otp" type="text" id="otp" autofocus>
+                </div>
+              </div>
+              <div class="form-group">
+                <input type="submit" class="btn btn-lg btn-success btn-block" value="Verify">
+              </div>
+            </div>
           </div>
-      {% endif %}
+        </fieldset>
-      <fieldset>
-      <div class="row">
-      <div class="col-sm-12 col-md-12">
-        <p>Enter the 6-digits sent to your email.</p>
-      </div>
-      </div>
-
-      <div class="row">
-	  <div class="col-sm-12 col-md-12">
-	    <div class="form-group">
-	      <div class="input-group">
-		<span class="input-group-addon">
-		<i class="glyphicon glyphicon-lock"></i>
-		</span>
-		<input class="form-control" size="6" MaxLength="6" value="" placeholder="e.g 55552" name="otp" type="text" id="otp" autofocus>
-
-	      </div>
-	    </div>
-
-          <div class="form-group">
-
-	      <input type="submit" class="btn btn-lg btn-success btn-block" value="Verify">
-	      </div>
-      </div>
-      </fieldset>
       </FORM>
-      </div>
+    </div>
+  </div>
+</div>
 {% endblock %}

mfa/templates/Email/recheck.html

@@ -39,7 +39,7 @@
       <fieldset>
       <div class="row">
       <div class="col-sm-12 col-md-12">
-        <p>Enter the 6-digits sent to your email.</p>
+        <p>Enter the code sent to your email.</p>
       </div>
       </div>
 

mfa/templates/MFA.html

@@ -66,7 +66,7 @@
                 {% endif %}
             </ul>
             </div>
-
+        </div>
     <br/>
     <br/>
        <table class="table table-striped">

mfa/templates/TOTP/Add.html

@@ -2,7 +2,7 @@
 {% extends "base.html" %}
 {% load static %}
 {% block head %}
-    <style>
+<style>
     #two-factor-steps {
 	border: 1px solid #ccc;
 	border-radius: 3px;
@@ -12,8 +12,8 @@
         margin: 0px;
     }
     </style>
-    <script src="{% static 'mfa/js/qrious.min.js' %}" type="text/javascript"></script>
+<script src="{% static 'mfa/js/qrious.min.js' %}" type="text/javascript"></script>
-    <script type="text/javascript">
+<script type="text/javascript">
     var key="";
     $(document).ready(function addToken() {
         $.ajax({
@@ -61,49 +61,49 @@
     </script>
 {% endblock %}
 {% block content %}
-    <br/>
+<br/>
-    <br/>
+<br/>
-    <div class="container">
+<div class="container">
-        <div class="col-md-6 col-md-offset-3" id="two-factor-steps">
+    <div class="col-md-6 col-md-offset-3" id="two-factor-steps">
-            <div class="row" align="center">
+        <div class="row" align="center">
-                <h4>Adding Authenticator</h4>
+            <h4>Adding Authenticator</h4>
-            </div>
+        </div>
-    <div class="row">
+        <div class="row">
 
-        <p>Scan the image below with the two-factor authentication app on your <a href="javascript:void(0)" onclick="showTOTP()">phone/PC</a> phone/PC. If you can’t use a barcode,
+            <p>Scan the image below with the two-factor authentication app on your <a href="javascript:void(0)" onclick="showTOTP()">phone/PC</a>. If you can’t use a barcode,
-            <a href="javascript:void(0)" onclick="showKey()">enter this text</a> instead. </p>
+                <a href="javascript:void(0)" onclick="showKey()">enter this text</a> instead. </p>
         </div>
 
         <div class="row">
 
-        <div align="center" style="display: none" id="second_step">
+            <div align="center" style="display: none" id="second_step">
 
-        <img id="qr"/>
+                <img id="qr"/>
 
             </div>
-        <div class="row">
+            <div class="row">
 
                 <p><b>Enter the six-digit code from the application</b></p>
                 <p style="color: #333333;font-size: 10px">After scanning the barcode image, the app will display a six-digit code that you can enter below. </p>
 
-        </div>
+            </div>
             <div class="row">
 
 
-            <input style="display: inline;width: 95%" maxlength="6" size="6" class="form-control" id="answer" placeholder="e.g 785481"/>
+                <input style="display: inline;width: 95%" maxlength="6" size="6" class="form-control" id="answer" placeholder="e.g 785481"/>
 
-        </div>
-        <div class="row">
-            <div class="col-md-6" style="padding-left: 0px">
-                <button class="btn btn-success" onclick="verify()">Enable</button>
             </div>
-            <div class="col-md-6" align="right" style="padding-right: 30px">
+            <div class="row" style="padding-top: 10px;">
-                <a href="{% url 'mfa_home' %}"><button class="btn btn-default">Cancel</button></a>
+                <div class="col-md-6" style="padding-left: 0px">
+                    <button class="btn btn-success" onclick="verify()">Enable</button>
+                </div>
+                <div class="col-md-6" align="right" style="padding-right: 30px">
+                    <a href="{% url 'mfa_home' %}"><button class="btn btn-default">Cancel</button></a>
+                </div>
             </div>
         </div>
-        </div>
 
     </div>
-        </div>
+</div>
-    {% include "modal.html" %}
+{% include "modal.html" %}
 {% endblock %}

mfa/totp.py

@@ -1,4 +1,5 @@
 from django.shortcuts import render
+from django.views.decorators.cache import never_cache
 from django.http import HttpResponse
 from .models import *
 from django.template.context_processors import csrf
@@ -31,6 +32,7 @@ def recheck(request):
             return HttpResponse(simplejson.dumps({"recheck": False}), content_type="application/json")
     return render(request,"TOTP/recheck.html", context)
 
+@never_cache
 def auth(request):
     context=csrf(request)
     if request.method=="POST":
@@ -68,5 +70,6 @@ def verify(request):
         return HttpResponse("Success")
     else: return HttpResponse("Error")
 
+@never_cache
 def start(request):
     return render(request,"TOTP/Add.html",{})

requirements.txt

@@ -1,11 +1,10 @@
 django >= 1.7
-        jsonfield
+jsonfield
-        simplejson
+simplejson
-        pyotp
+pyotp
-        python-u2flib-server
+python-u2flib-server
-        ua-parser
+ua-parser
-        user-agents
+user-agents
-        python-jose
+python-jose
-        fido2 == 0.7
+fido2 == 0.8.1
-        jsonLookup
+jsonLookup
-

setup.py

@@ -4,7 +4,7 @@ from setuptools import find_packages, setup
 
 setup(
     name='django-mfa2',
-    version='1.9.1',
+    version='2.0.0',
     description='Allows user to add 2FA to their accounts',
     long_description=open("README.md").read(),
     long_description_content_type="text/markdown",
@@ -24,32 +24,28 @@ setup(
         'ua-parser',
         'user-agents',
         'python-jose',
-        'fido2 == 0.7.2',
+        'fido2 == 0.8.1',
         'jsonLookup'
       ],
-    python_requires=">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*",
+    python_requires=">=3.5",
     include_package_data=True,
       zip_safe=False, # because we're including static files
     classifiers=[
         "Development Status :: 5 - Production/Stable",
         "Environment :: Web Environment",
         "Framework :: Django",
-        "Framework :: Django :: 1.7",
-        "Framework :: Django :: 1.8",
-        "Framework :: Django :: 1.9",
-        "Framework :: Django :: 1.10",
         "Framework :: Django :: 1.11",
         "Framework :: Django :: 2.0",
         "Framework :: Django :: 2.1",
+        "Framework :: Django :: 2.2",
         "Intended Audience :: Developers",
         "Operating System :: OS Independent",
         "Programming Language :: Python",
-        "Programming Language :: Python :: 2",
-        "Programming Language :: Python :: 2.7",
         "Programming Language :: Python :: 3",
-        "Programming Language :: Python :: 3.4",
         "Programming Language :: Python :: 3.5",
         "Programming Language :: Python :: 3.6",
+        "Programming Language :: Python :: 3.7",
+        "Programming Language :: Python :: 3.8",
         "Topic :: Software Development :: Libraries :: Python Modules",
 ]
 )