Fixes #37

Fix FIDO2 version in the requirements file

.github/FUNDING.yml

@@ -0,0 +1 @@
+tidelift: "pypi/django-mfa2"

CHANGELOG.md

@@ -1,5 +1,23 @@
 # Change Log
 
+## 2.1.2
+  * Fixed: Getting timestamp on Python 3.7 as ("%s") is raising an exception
+  * Upgraded to FIDO 0.9.1
+
+
+## 2.1.1
+  * Fixed: FIDO2 version in requirments.txt file.
+  
+## 2.1.0
+   * Added Support for Touch ID for Mac OSx and iOS 14 on Safari
+
+## 2.0.5
+  * Fixed issue in __version__
+
+## 2.0.4
+   * Fixed: Closes #30
+
+
 ## 2.0.3
   * Fixed: __version__ to show correct version
 

README.md

@@ -1,9 +1,15 @@
 # django-mfa2
 A Django app that handles MFA, it supports TOTP, U2F, FIDO2 U2F (Web Authn), Email Tokens , and Trusted Devices
 
+### Pip Stats
 [![PyPI version](https://badge.fury.io/py/django-mfa2.svg)](https://badge.fury.io/py/django-mfa2)
 [![Downloads Count](https://static.pepy.tech/personalized-badge/django-mfa2?period=total&units=international_system&left_color=black&right_color=green&left_text=Downloads)](https://pepy.tech/project/django-mfa2)
 
+### Conda Stats
+[![Conda Recipe](https://img.shields.io/badge/recipe-django--mfa2-green.svg)](https://anaconda.org/conda-forge/django-mfa2) 
+[![Conda Downloads](https://img.shields.io/conda/dn/conda-forge/django-mfa2.svg)](https://anaconda.org/conda-forge/django-mfa2) 
+[![Conda Version](https://img.shields.io/conda/vn/conda-forge/django-mfa2.svg)](https://anaconda.org/conda-forge/django-mfa2) 
+
 Web Authencation API (WebAuthn) is state-of-the art techology that is expected to replace passwords.
 
 ![Andriod Fingerprint](https://cdn-images-1.medium.com/max/800/1*1FWkRE8D7NTA2Kn1DrPjPA.png)
@@ -11,17 +17,17 @@ Web Authencation API (WebAuthn) is state-of-the art techology that is expected t
 For FIDO2, the following are supported
  * **security keys** (Firefox 60+, Chrome 67+, Edge 18+, Safari 13 on Mac OS, Chrome on Andriod, Safari on iOS 13.3+),
  * **Windows Hello** (Firefox 67+, Chrome 72+ , Edge) ,
- * **Apple's Touch ID** (Chrome 70+ on Mac OS X ),
+ * **Apple's Touch ID/Face ID** (Chrome 70+ on Mac OS X, Safari on macOS Big Sur, Safari on iOS 14.0+ ),
  * **android-safetynet** (Chrome 70+, Firefox 68+)
  * **NFC devices using PCSC** (Not Tested, but as supported in fido2)
 
-In English :), It allows you to verify the user by security keys on PC, Laptops or Mobiles, Windows Hello (Fingerprint, PIN) on Windows 10 Build 1903+ (May 2019 Update) Touch ID on Macbooks (Chrome) and Fingerprint/Face/Iris/PIN on Andriod Phones.
+In English :), It allows you to verify the user by security keys on PC, Laptops or Mobiles, Windows Hello (Fingerprint, PIN) on Windows 10 Build 1903+ (May 2019 Update) Touch/Face ID on Macbooks (Chrome, Safari), Touch/Face ID on iPhone and iPad and Fingerprint/Face/Iris/PIN on Android Phones.
 
-Trusted device is a mode for the user to add a device that doesn't support security keys like iOS and andriod without fingerprints or NFC.
+Trusted device is a mode for the user to add a device that doesn't support security keys like Android without fingerprints or NFC.
 
 **Note**: `U2F and FIDO2 can only be served under secure context (https)`
 
-Package tested with Django 1.8, Django 2.1 on Python 2.7 and Python 3.5+ but it was not checked with any version in between but open for issues.
+Package tested with Django 1.8, Django 2.2 on Python 2.7 and Python 3.5+ but it was not checked with any version in between but open for issues.
 
 Depends on
 
@@ -30,11 +36,23 @@ Depends on
 * ua-parser
 * user-agents
 * python-jose
-* fido2==0.8.1
+* fido2==0.9.0
-
 
 # Installation
-1. `pip install django-mfa2`
+1. using pip 
+
+    `pip install django-mfa2`
+2. Using Conda forge 
+   
+   `conda config --add channels conda-forge`
+   
+   `conda install django-mfa2`
+   
+   For more info, see the conda-forge repo (https://github.com/conda-forge/django-mfa2-feedstock)
+   
+   Thanks for [swainn](https://github.com/swainn) for adding package to conda-forge
+
+# Usage
 1. in your settings.py add the application to your installed apps
    ```python
    INSTALLED_APPS=(
@@ -160,3 +178,7 @@ function some_func() {
 * [swainn](https://github.com/swainn)
 * [unramk](https://github.com/unramk)
 * [willingham](https://github.com/willingham)
+
+
+ # Security contact information
+To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security). Tidelift will coordinate the fix and disclosure.

mfa/Email.py

@@ -46,8 +46,8 @@ def auth(request):
             uk = User_Keys.objects.get(username=request.session["base_username"], key_type="Email")
             mfa = {"verified": True, "method": "Email","id":uk.id}
             if getattr(settings, "MFA_RECHECK", False):
-                mfa["next_check"] = int((datetime.datetime.now() + datetime.timedelta(
+                mfa["next_check"] = datetime.datetime.timestamp(datetime.datetime.now() + datetime.timedelta(
-                    seconds = random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX))).strftime("%s"))
+                    seconds = random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX)))
             request.session["mfa"] = mfa
 
             from django.utils import timezone

mfa/FIDO2.py

@@ -16,6 +16,7 @@ from .views import login,reset_cookie
 import datetime
 from django.utils import timezone
 
+
 def recheck(request):
     context = csrf(request)
     context["mode"] = "recheck"
@@ -26,6 +27,8 @@ def recheck(request):
 def getServer():
     rp = PublicKeyCredentialRpEntity(settings.FIDO_SERVER_ID, settings.FIDO_SERVER_NAME)
     return Fido2Server(rp)
+
+
 def begin_registeration(request):
     server = getServer()
     registration_data, state = server.register_begin({
@@ -36,6 +39,8 @@ def begin_registeration(request):
     request.session['fido_state'] = state
 
     return HttpResponse(cbor.encode(registration_data), content_type = 'application/octet-stream')
+
+
 @csrf_exempt
 def complete_reg(request):
     try:
@@ -64,20 +69,25 @@ def complete_reg(request):
         except:
             pass
         return HttpResponse(simplejson.dumps({'status': 'ERR', "message": "Error on server, please try again later"}))
+
+
 def start(request):
     context = csrf(request)
     return render(request, "FIDO2/Add.html", context)
 
+
 def getUserCredentials(username):
     credentials = []
     for uk in User_Keys.objects.filter(username = username, key_type = "FIDO2"):
         credentials.append(AttestedCredentialData(websafe_decode(uk.properties["device"])))
     return credentials
 
+
 def auth(request):
     context = csrf(request)
     return render(request, "FIDO2/Auth.html", context)
 
+
 def authenticate_begin(request):
     server = getServer()
     credentials = getUserCredentials(request.session.get("base_username", request.user.username))
@@ -85,6 +95,7 @@ def authenticate_begin(request):
     request.session['fido_state'] = state
     return HttpResponse(cbor.encode(auth_data), content_type = "application/octet-stream")
 
+
 @csrf_exempt
 def authenticate_complete(request):
     try:
@@ -107,7 +118,8 @@ def authenticate_complete(request):
                 signature
             )
         except ValueError:
-            return HttpResponse(simplejson.dumps({'status': "ERR", "message": "Wrong challenge received, make sure that this is your security and try again."}),
+            return HttpResponse(simplejson.dumps({'status': "ERR",
+                                                  "message": "Wrong challenge received, make sure that this is your security and try again."}),
                                 content_type = "application/json")
         except Exception as excep:
             try:
@@ -133,8 +145,8 @@ def authenticate_complete(request):
                     k.save()
                     mfa = {"verified": True, "method": "FIDO2", 'id': k.id}
                     if getattr(settings, "MFA_RECHECK", False):
-                        mfa["next_check"] = int((datetime.datetime.now()+ datetime.timedelta(
+                        mfa["next_check"] = datetime.datetime.timestamp((datetime.datetime.now() + datetime.timedelta(
-                        seconds=random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX))).strftime("%s"))
+                            seconds = random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX))))
                     request.session["mfa"] = mfa
                     try:
                         authenticated = request.user.is_authenticated
@@ -143,8 +155,10 @@ def authenticate_complete(request):
                     if not authenticated:
                         res = login(request)
                         if not "location" in res: return reset_cookie(request)
-                        return HttpResponse(simplejson.dumps({'status':"OK","redirect":res["location"]}),content_type="application/json")
+                        return HttpResponse(simplejson.dumps({'status': "OK", "redirect": res["location"]}),
+                                            content_type = "application/json")
                     return HttpResponse(simplejson.dumps({'status': "OK"}),
                                         content_type = "application/json")
     except Exception as exp:
-        return HttpResponse(simplejson.dumps({'status': "ERR","message":exp.message}),content_type="application/json")
+        return HttpResponse(simplejson.dumps({'status': "ERR", "message": exp.message}),
+                            content_type = "application/json")

mfa/U2F.py

@@ -57,9 +57,9 @@ def validate(request,username):
     key.save()
     mfa = {"verified": True, "method": "U2F","id":key.id}
     if getattr(settings, "MFA_RECHECK", False):
-        mfa["next_check"] = int((datetime.datetime.now()
+        mfa["next_check"] = datetime.datetime.timestamp((datetime.datetime.now()
                                  + datetime.timedelta(
-                    seconds=random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX))).strftime("%s"))
+                    seconds=random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX))))
     request.session["mfa"] = mfa
     return True
 

mfa/__init__.py

@@ -1 +1 @@
-__version__="2.0.3"
+__version__="2.1.0"

mfa/models.py

@@ -2,8 +2,10 @@ from django.db import models
 from jsonfield import JSONField
 from jose import jwt
 from django.conf import settings
-from jsonLookup import shasLookup
+from jsonLookup import shasLookup, hasLookup
 JSONField.register_lookup(shasLookup)
+JSONField.register_lookup(hasLookup)
+
 
 class User_Keys(models.Model):
     username=models.CharField(max_length = 50)
@@ -19,9 +21,12 @@ class User_Keys(models.Model):
         if self.key_type == "Trusted Device" and self.properties.get("signature","") == "":
             self.properties["signature"]= jwt.encode({"username": self.username, "key": self.properties["key"]}, settings.SECRET_KEY)
         super(User_Keys, self).save(force_insert=force_insert, force_update=force_update, using=using, update_fields=update_fields)
+
     def __unicode__(self):
         return "%s -- %s"%(self.username,self.key_type)
+
     def __str__(self):
         return self.__unicode__()
+
     class Meta:
         app_label='mfa'

mfa/templates/FIDO2/Add.html

@@ -2,6 +2,7 @@
 {% load static %}
 {% block head %}
     <script type="application/javascript" src="{% static 'mfa/js/cbor.js'%}"></script>
+    <script type="application/javascript" src="{% static 'mfa/js/ua-parser.min.js'%}"></script>
     <script type="application/javascript">
     function begin_reg(){
     fetch('{% url 'fido2_begin_reg' %}',{}).then(function(response) {
@@ -40,7 +41,17 @@
        $("#res").html("<div class='alert alert-danger'>Registeration Failed as " +reason +", <a href='javascript:void(0)' onclick='begin_reg()'> try again </a> or <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>")
     })
     }
-    $(document).ready(setTimeout(begin_reg,500))
+    $(document).ready(function (){
+        ua=new UAParser().getResult()
+        if (ua.browser.name == "Safari")
+        {
+                $("#res").html("<button class='btn btn-success' onclick='begin_reg()'>Start...</button>")
+        }
+        else
+        {
+            setTimeout(begin_reg, 500)
+        }
+    })
     </script>
 
 {% endblock %}
@@ -55,8 +66,8 @@
       <div class="panel-body">
 
 
-    <div class="row alert alert-pr" id="res">
+    <div class="row alert alert-pr" id="res" align="center">
-    <p style="color: green">Your broswer should ask you to confirm you indentity.</p>
+    <p style="color: green">Your browser should ask you to confirm you identity.</p>
 
     </div>
         </div>

mfa/templates/FIDO2/recheck.html

@@ -1,5 +1,6 @@
 {%  load static %}
 <script type="application/javascript" src="{% static 'mfa/js/cbor.js' %}"></script>
+<script type="application/javascript" src="{% static 'mfa/js/ua-parser.min.js' %}"></script>
 <div class="row">
 
 <div class="col-sm-10 col-sm-offset-1 col-xs-12 col-md-10 col-md-offset-1 col-lg-8 col-lg-offset-2">
@@ -17,7 +18,9 @@
                     <br/>
 
             {% endif %}
+                <div id="res">
                     <p style="color: green">please press the button on your security key to prove it is you.</p>
+                </div>
                 <div id="msgdiv"></div>
                 {% if mode == "auth" %}
                     <form id="u2f_login" action="{% url 'fido2_complete_auth' %}" method="post" enctype="multipart/form-data">
@@ -101,6 +104,10 @@
             $("#main_paragraph").addClass("alert alert-danger")
             $("#main_paragraph").html("FIDO2 must work under secure context")
         } else {
+            ua=new UAParser().getResult()
+            if (ua.browser.name == "Safari")
+                $("#res").html("<button class='btn btn-success' onclick='authen()'>Authenticate...</button>")
+            else
                 authen()
         }
     });

mfa/totp.py

@@ -40,9 +40,9 @@ def auth(request):
         if res[0]:
             mfa = {"verified": True, "method": "TOTP","id":res[1]}
             if getattr(settings, "MFA_RECHECK", False):
-                mfa["next_check"] = int((datetime.datetime.now()
+                mfa["next_check"] = datetime.datetime.timestamp((datetime.datetime.now()
                                          + datetime.timedelta(
-                            seconds=random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX))).strftime("%s"))
+                            seconds=random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX))))
             request.session["mfa"] = mfa
             return login(request)
         context["invalid"]=True

requirements.txt

@@ -6,5 +6,5 @@ python-u2flib-server
 ua-parser
 user-agents
 python-jose
-fido2 == 0.8.1
+fido2 == 0.9.0
 jsonLookup

setup.py

@@ -4,7 +4,7 @@ from setuptools import find_packages, setup
 
 setup(
     name='django-mfa2',
-    version='2.0.3',
+    version='2.1.2b1',
     description='Allows user to add 2FA to their accounts',
     long_description=open("README.md").read(),
     long_description_content_type="text/markdown",
@@ -24,14 +24,14 @@ setup(
         'ua-parser',
         'user-agents',
         'python-jose',
-        'fido2 == 0.8.1',
+        'fido2 == 0.9.1',
         'jsonLookup'
       ],
     python_requires=">=3.5",
     include_package_data=True,
     zip_safe=False, # because we're including static files
     classifiers=[
-        "Development Status :: 5 - Production/Stable",
+        "Development Status :: 4 - Beta",
         "Environment :: Web Environment",
         "Framework :: Django",
         "Framework :: Django :: 1.11",