josh/django-mfa2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: josh:v2.2.1
Branches Tags
josh:master josh:black josh:dev josh:dependabot/pip/fido2-1.1.1 josh:ConditionalUI josh:v3.0 josh:MoreOptions josh:CVE-2022-42731 josh:v2.5.2 josh:v2.6.1 josh:v2.5.1 josh:recovery_codes josh:v2.6.0 josh:v2.6.0rc1 josh:v2.5b2 josh:v2.5b1 josh:fido==1.0.0 josh:v2.5 josh:ResidentKey josh:v2.4.0 josh:v2.3.0 josh:v2.2.1 josh:Better_TOTP josh:v2.2.0 josh:passwordless josh:redirect josh:Postgres josh:Issue_37 josh:TouchID_4_1.8 josh:TouchID josh:django-1.8 josh:example
josh:v2.8 josh:v2.6.1-release josh:v2.5.1-release josh:v2.6.0-release josh:v2.6rc1 josh:v2.5 josh:v2.5b1 josh:v2.4.0 josh:v2.3.0 josh:v2.2.0 josh:v2.1.0 josh:v2.1.0b1 josh:v2.0.5 josh:v2.0.3 josh:v2.0.1 josh:v2.0 josh:v1.9 josh:v1.7.11 josh:v1.6 josh:v1.3 josh:v1.1.6 josh:v1.1 josh:v1.0.4 josh:0.9
..
compare: josh:Postgres
Branches Tags
josh:master josh:black josh:dev josh:dependabot/pip/fido2-1.1.1 josh:ConditionalUI josh:v3.0 josh:MoreOptions josh:CVE-2022-42731 josh:v2.5.2 josh:v2.6.1 josh:v2.5.1 josh:recovery_codes josh:v2.6.0 josh:v2.6.0rc1 josh:v2.5b2 josh:v2.5b1 josh:fido==1.0.0 josh:v2.5 josh:ResidentKey josh:v2.4.0 josh:v2.3.0 josh:v2.2.1 josh:Better_TOTP josh:v2.2.0 josh:passwordless josh:redirect josh:Postgres josh:Issue_37 josh:TouchID_4_1.8 josh:TouchID josh:django-1.8 josh:example
josh:v2.8 josh:v2.6.1-release josh:v2.5.1-release josh:v2.6.0-release josh:v2.6rc1 josh:v2.5 josh:v2.5b1 josh:v2.4.0 josh:v2.3.0 josh:v2.2.0 josh:v2.1.0 josh:v2.1.0b1 josh:v2.0.5 josh:v2.0.3 josh:v2.0.1 josh:v2.0 josh:v1.9 josh:v1.7.11 josh:v1.6 josh:v1.3 josh:v1.1.6 josh:v1.1 josh:v1.0.4 josh:0.9

5 Commits
v2.2.1 ... Postgres

Author SHA1 Message Date
Mohamed ElKalioby
23377abfa6 Removed Dependability of JSONLookup 2021-03-05 00:48:01 +03:00
Mohamed El-Kalioby
ba9dfc4d36 Merge pull request #41 from BIZFactoryGmbH/AndreasDickow-patch-postgresql-support-device-register 
Andreas dickow patch postgresql support device register
 2021-03-02 20:03:26 +03:00
BIZ Factory GmbH
600ef2421a Update TrustedDevice.py 
add postgresql support
 2021-03-01 08:27:38 +01:00
BIZ Factory GmbH
4fbe88b90f Update U2F.py 
fix get instead of filter in function call
 2021-03-01 08:25:48 +01:00
BIZ Factory GmbH
a48ae253d6 Update U2F.py 2021-03-01 07:44:17 +01:00
23 changed files with 49 additions and 107 deletions
Expand all files Collapse all files

8
CHANGELOG.md
View File

@@ -1,10 +1,4 @@
# Change Log
## 2.2.1
* Fixed: A missing import Thanks @AndreasDickow
## 2.2.0
* Added: MFA_REDIRECT_AFTER_REGISTRATION settings parameter
* Fixed: Deprecation error for NULBooleanField
## 2.1.2
* Fixed: Getting timestamp on Python 3.7 as ("%s") is raising an exception
@@ -12,7 +6,7 @@
## 2.1.1
* Fixed: FIDO2 version in requirements.txt file.
* Fixed: FIDO2 version in requirments.txt file.
## 2.1.0
* Added Support for Touch ID for Mac OSx and iOS 14 on Safari

7
README.md
View File

@@ -68,8 +68,6 @@ Depends on
MFA_UNALLOWED_METHODS=() # Methods that shouldn't be allowed for the user
MFA_LOGIN_CALLBACK="" # A function that should be called by username to login the user in session
MFA_RECHECK=True # Allow random rechecking of the user
MFA_REDIRECT_AFTER_REGISTRATION="mfa_home" # Allows Changing the page after successful registeration
MFA_SUCCESS_REGISTRATION_MSG = "Go to Security Home" # The text of the link
MFA_RECHECK_MIN=10 # Minimum interval in seconds
MFA_RECHECK_MAX=30 # Maximum in seconds
MFA_QUICKLOGIN=True # Allow quick login for returning users by provide only their 2FA
@@ -93,8 +91,6 @@ Depends on
**Notes**:
* Starting version 1.1, ~~FIDO_LOGIN_URL~~ isn't required for FIDO2 anymore.
* Starting version 1.7.0, Key owners can be specified.
* Starting version 2.2.0
* Added: `MFA_SUCCESS_REGISTRATION_MSG` & `MFA_REDIRECT_AFTER_REGISTRATION`
1. Break your login function
Usually your login function will check for username and password, log the user in if the username and password are correct and create the user session, to support mfa, this has to change
@@ -133,7 +129,7 @@ Depends on
1. Somewhere in your app, add a link to 'mfa_home'
```<li><a href="{% url 'mfa_home' %}">Security</a> </li>```
For Example, See 'example' app
For Example, See https://github.com/mkalioby/AutoDeploy/commit/5f1d94b1804e0aa33c79e9e8530ce849d9eb78cc in AutDeploy Project
# Going Passwordless
@@ -182,7 +178,6 @@ function some_func() {
* [swainn](https://github.com/swainn)
* [unramk](https://github.com/unramk)
* [willingham](https://github.com/willingham)
* [AndreasDickow](https://github.com/AndreasDickow)
# Security contact information

20
docs/change_login.md
View File

@@ -9,15 +9,15 @@ Usually your login function will check for username and password, log the user i
* if user has mfa then redirect to mfa page
* if user doesn't have mfa then call your function to create the user session
```python
def login(request): # this function handles the login form POST
user = auth.authenticate(username=username, password=password)
if user is not None: # if the user object exist
from mfa.helpers import has_mfa
res = has_mfa(username = username,request=request) # has_mfa returns false or HttpResponseRedirect
if res:
return res
return log_user_in(request,username=user.username)
<code>
def login(request): # this function handles the login form POST
user = auth.authenticate(username=username, password=password)
if user is not None: # if the user object exist
from mfa.helpers import has_mfa
res = has_mfa(username = username,request=request) # has_mfa returns false or HttpResponseRedirect
if res:
return res
return log_user_in(request,username=user.username)
#log_user_in is a function that handles creatung user session, it should be in the setting file as MFA_CALLBACK
```
</code>

10
example/example/settings.py
View File

@@ -77,8 +77,10 @@ WSGI_APPLICATION = 'example.wsgi.application'
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': 'test_db',
'ENGINE': 'django.db.backends.mysql',
'NAME': 'mfa',
'USER': 'root',
'PASSWORD': 'password',
}
}
@@ -139,9 +141,7 @@ MFA_RECHECK=True # Allow random rechecking of the user
MFA_RECHECK_MIN=10 # Minimum interval in seconds
MFA_RECHECK_MAX=30 # Maximum in seconds
MFA_QUICKLOGIN=True # Allow quick login for returning users by provide only their 2FA
MFA_HIDE_DISABLE=('',) # Can the user disable his key (Added in 1.2.0).
MFA_REDIRECT_AFTER_REGISTRATION="registered"
MFA_SUCCESS_REGISTRATION_MSG="Go to Home"
MFA_HIDE_DISABLE=() # Can the user disable his key (Added in 1.2.0).
TOKEN_ISSUER_NAME="PROJECT_NAME" #TOTP Issuer name

3
example/example/templates/home.html
View File

@@ -12,9 +12,6 @@
</ol>
<!-- Page Content -->
{% if registered %}
<div class="alert alert-success">Registered Successfully</div>
{% endif %}
<h1>Welcome {{ request.user.username }}!</h1>
<hr>

5
example/example/urls.py
View File

@@ -16,12 +16,13 @@ Including another URLconf
from django.contrib import admin
from django.urls import path,re_path,include
from . import views,auth
import mfa
urlpatterns = [
path('admin/', admin.site.urls),
path('mfa/', include('mfa.urls')),
path('devices/add', mfa.TrustedDevice.add,name="mfa_add_new_trusted_device"),
path('auth/login',auth.loginView,name="login"),
path('auth/logout',auth.logoutView,name="logout"),
re_path('^$',views.home,name='home'),
path('registered/',views.registered,name='registered')
re_path('^$',views.home,name='home')
]

4
example/example/views.py
View File

@@ -5,7 +5,3 @@ from django.contrib.auth.decorators import login_required
@login_required()
def home(request):
return render(request,"home.html",{})
@login_required()
def registered(request):
return render(request,"home.html",{"registered":True})

4
example/requiremnts.txt
View File

@@ -1,2 +1,2 @@
django >= 2.2
django_ssl
django==2.0
django-sslserver

10
mfa/Common.py
View File

@@ -1,9 +1,5 @@
from django.conf import settings
from django.core.mail import EmailMessage
try:
from django.urls import reverse
except:
from django.core.urlresolver import reverse
def send(to,subject,body):
from_email_address = settings.EMAIL_HOST_USER
@@ -12,8 +8,4 @@ def send(to,subject,body):
From = "%s <%s>" % (settings.EMAIL_FROM, from_email_address)
email = EmailMessage(subject,body,From,to)
email.content_subtype = "html"
return email.send(False)
def get_redirect_url():
return {"redirect_html": reverse(getattr(settings, 'MFA_REDIRECT_AFTER_REGISTRATION', 'mfa_home')),
"reg_success_msg":getattr(settings,"MFA_SUCCESS_REGISTRATION_MSG")}
return email.send(False)

10
mfa/Email.py
View File

@@ -7,9 +7,7 @@ from .models import *
#from django.template.context import RequestContext
from .views import login
from .Common import send
def sendEmail(request,username,secret):
"""Send Email to the user after rendering `mfa_email_token_template`"""
from django.contrib.auth import get_user_model
User = get_user_model()
key = getattr(User, 'USERNAME_FIELD', 'username')
@@ -20,10 +18,9 @@ def sendEmail(request,username,secret):
@never_cache
def start(request):
"""Start adding email as a 2nd factor"""
context = csrf(request)
if request.method == "POST":
if request.session["email_secret"] == request.POST["otp"]: #if successful
if request.session["email_secret"] == request.POST["otp"]:
uk=User_Keys()
uk.username=request.user.username
uk.key_type="Email"
@@ -34,16 +31,15 @@ def start(request):
from django.core.urlresolvers import reverse
except:
from django.urls import reverse
return HttpResponseRedirect(reverse(getattr(settings,'MFA_REDIRECT_AFTER_REGISTRATION','mfa_home')))
return HttpResponseRedirect(reverse('mfa_home'))
context["invalid"] = True
else:
request.session["email_secret"] = str(randint(0,100000)) #generate a random integer
request.session["email_secret"] = str(randint(0,100000))
if sendEmail(request, request.user.username, request.session["email_secret"]):
context["sent"] = True
return render(request,"Email/Add.html", context)
@never_cache
def auth(request):
"""Authenticating the user by email."""
context=csrf(request)
if request.method=="POST":
if request.session["email_secret"]==request.POST["otp"].strip():

7
mfa/FIDO2.py
View File

@@ -14,12 +14,10 @@ from fido2.utils import websafe_decode, websafe_encode
from fido2.ctap2 import AttestedCredentialData
from .views import login, reset_cookie
import datetime
from .Common import get_redirect_url
from django.utils import timezone
def recheck(request):
"""Starts FIDO2 recheck"""
context = csrf(request)
context["mode"] = "recheck"
request.session["mfa_recheck"] = True
@@ -27,13 +25,11 @@ def recheck(request):
def getServer():
"""Get Server Info from settings and returns a Fido2Server"""
rp = PublicKeyCredentialRpEntity(settings.FIDO_SERVER_ID, settings.FIDO_SERVER_NAME)
return Fido2Server(rp)
def begin_registeration(request):
"""Starts registering a new FIDO Device, called from API"""
server = getServer()
registration_data, state = server.register_begin({
u'id': request.user.username.encode("utf8"),
@@ -47,7 +43,6 @@ def begin_registeration(request):
@csrf_exempt
def complete_reg(request):
"""Completes the registeration, called by API"""
try:
data = cbor.decode(request.body)
@@ -77,9 +72,7 @@ def complete_reg(request):
def start(request):
"""Start Registeration a new FIDO Token"""
context = csrf(request)
context.update(get_redirect_url())
return render(request, "FIDO2/Add.html", context)

9
mfa/TrustedDevice.py
View File

@@ -2,7 +2,6 @@ import string
import random
from django.shortcuts import render
from django.http import HttpResponse
from django.template.context import RequestContext
from django.template.context_processors import csrf
from .models import *
import user_agents
@@ -10,7 +9,7 @@ from django.utils import timezone
def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
x=''.join(random.choice(chars) for _ in range(size))
if not User_Keys.objects.filter(properties__shas="$.key="+x).exists(): return x
if not User_Keys.objects.filter(properties__icontains=x, key_type="Trusted Device").exists(): return x
else: return id_generator(size,chars)
def getUserAgent(request):
@@ -19,6 +18,7 @@ def getUserAgent(request):
tk=User_Keys.objects.get(id=id)
if tk.properties.get("user_agent","")!="":
ua = user_agents.parse(tk.properties["user_agent"])
print(ua.os)
res = render(None, "TrustedDevices/user-agent.html", context={"ua":ua})
return HttpResponse(res)
return HttpResponse("")
@@ -62,13 +62,14 @@ def add(request):
key=request.POST["key"].replace("-","").replace(" ","").upper()
context["username"] = request.POST["username"]
context["key"] = request.POST["key"]
trusted_keys=User_Keys.objects.filter(username=request.POST["username"],properties__has="$.key="+key)
trusted_keys=User_Keys.objects.filter(username=request.POST["username"],properties__iregex=rf'{key}')
cookie=False
if trusted_keys.exists():
tk=trusted_keys[0]
request.session["td_id"]=tk.id
ua=request.META['HTTP_USER_AGENT']
agent=user_agents.parse(ua)
print(agent.os)
if agent.is_pc:
context["invalid"]="This is a PC, it can't used as a trusted device."
else:
@@ -124,7 +125,7 @@ def verify(request):
json= jwt.decode(request.COOKIES.get('deviceid'),settings.SECRET_KEY)
if json["username"].lower()== request.session['base_username'].lower():
try:
uk = User_Keys.objects.get(username=request.POST["username"].lower(), properties__has="$.key=" + json["key"])
uk = User_Keys.objects.get(username=request.POST["username"].lower(), properties__properties__iregex=rf'{json["key"]}')
if uk.enabled and uk.properties["status"] == "trusted":
uk.last_used=timezone.now()
uk.save()

6
mfa/U2F.py
View File

@@ -12,7 +12,6 @@ from django.conf import settings
from django.http import HttpResponse
from .models import *
from .views import login
from .Common import get_redirect_url
import datetime
from django.utils import timezone
@@ -53,7 +52,7 @@ def validate(request,username):
challenge = request.session.pop('_u2f_challenge_')
device, c, t = complete_authentication(challenge, data, [settings.U2F_APPID])
key=User_Keys.objects.get(username=username,properties__shas="$.device.publicKey=%s"%device["publicKey"])
key = User_Keys.objects.get(username=username,key_type = "U2F", properties__iregex=rf'{device["publicKey"]}')
key.last_used=timezone.now()
key.save()
mfa = {"verified": True, "method": "U2F","id":key.id}
@@ -70,14 +69,13 @@ def auth(request):
request.session["_u2f_challenge_"]=s[0]
context["token"]=s[1]
return render(request,"U2F/Auth.html")
return render(request,"U2F/Auth.html",context)
def start(request):
enroll = begin_registration(settings.U2F_APPID, [])
request.session['_u2f_enroll_'] = enroll.json
context=csrf(request)
context["token"]=simplejson.dumps(enroll.data_for_client)
context.update(get_redirect_url())
return render(request,"U2F/Add.html",context)

2
mfa/__init__.py
View File

@@ -1 +1 @@
__version__="2.2.0"
__version__="2.1.2"

18
mfa/migrations/0011_auto_20210530_0622.py
View File

@@ -1,18 +0,0 @@
# Generated by Django 2.2 on 2021-05-30 06:22
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('mfa', '0010_auto_20201110_0557'),
]
operations = [
migrations.AlterField(
model_name='user_keys',
name='owned_by_enterprise',
field=models.BooleanField(blank=True, default=None, null=True),
),
]

5
mfa/models.py
View File

@@ -2,9 +2,6 @@ from django.db import models
from jsonfield import JSONField
from jose import jwt
from django.conf import settings
#from jsonLookup import shasLookup, hasLookup
# JSONField.register_lookup(shasLookup)
# JSONField.register_lookup(hasLookup)
class User_Keys(models.Model):
@@ -15,7 +12,7 @@ class User_Keys(models.Model):
enabled=models.BooleanField(default=True)
expires=models.DateTimeField(null=True,default=None,blank=True)
last_used=models.DateTimeField(null=True,default=None,blank=True)
owned_by_enterprise=models.BooleanField(default=None,null=True,blank=True)
owned_by_enterprise=models.NullBooleanField(default=None,null=True,blank=True)
def save(self, force_insert=False, force_update=False, using=None, update_fields=None):
if self.key_type == "Trusted Device" and self.properties.get("signature","") == "":

2
mfa/templates/FIDO2/Add.html
View File

@@ -32,7 +32,7 @@
}).then(function (res)
{
if (res["status"] =='OK')
$("#res").html("<div class='alert alert-success'>Registered Successfully, <a href='{{redirect_html}}'> {{reg_success_msg}}</a></div>")
$("#res").html("<div class='alert alert-success'>Registered Successfully, <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>")
else
$("#res").html("<div class='alert alert-danger'>Registeration Failed as " + res["message"] + ", <a href='javascript:void(0)' onclick='begin_reg()'> try again or <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>")

2
mfa/templates/TOTP/Add.html
View File

@@ -43,7 +43,7 @@
else
{
alert("Your authenticator is added successfully.")
window.location.href="{{ redirect_html }}"
window.location.href="{% url 'mfa_home' %}"
}
}
})

2
mfa/templates/U2F/Add.html
View File

@@ -24,7 +24,7 @@
if (data == "OK")
{
alert("Your device is added successfully.")
window.location.href="{{ redirect_html }}"
window.location.href="{% url 'mfa_home' %}"
}
}
})

4
mfa/totp.py
View File

@@ -1,7 +1,6 @@
from django.shortcuts import render
from django.views.decorators.cache import never_cache
from django.http import HttpResponse
from .Common import get_redirect_url
from .models import *
from django.template.context_processors import csrf
import simplejson
@@ -73,5 +72,4 @@ def verify(request):
@never_cache
def start(request):
"""Start Adding Time One Time Password (TOTP)"""
return render(request,"TOTP/Add.html",get_redirect_url())
return render(request,"TOTP/Add.html",{})

4
mfa/urls.py
View File

@@ -1,10 +1,11 @@
from . import views,totp,U2F,TrustedDevice,helpers,FIDO2,Email
#app_name='mfa'
try:
from django.urls import re_path as url
except:
from django.conf.urls import url
urlpatterns = [
url(r'totp/start/', totp.start , name="start_new_otop"),
url(r'totp/getToken', totp.getToken , name="get_new_otop"),
@@ -39,6 +40,7 @@ urlpatterns = [
url(r'u2f/secure_device', TrustedDevice.getCookie, name="td_securedevice"),
url(r'^$', views.index, name="mfa_home"),
url(r'devices/add$', TrustedDevice.add,name="mfa_add_new_trusted_device"),
url(r'goto/(.*)', views.goto, name="mfa_goto"),
url(r'selct_method', views.show_methods, name="mfa_methods_list"),
url(r'recheck', helpers.recheck, name="mfa_recheck"),

4
requirements.txt
View File

@@ -1,4 +1,4 @@
django >= 2.0
django >= 1.7
jsonfield
simplejson
pyotp
@@ -6,5 +6,5 @@ python-u2flib-server
ua-parser
user-agents
python-jose
fido2 == 0.9.1
fido2 == 0.9.0
jsonLookup

10
setup.py
View File

@@ -4,7 +4,7 @@ from setuptools import find_packages, setup
setup(
name='django-mfa2',
version='2.2.0',
version='2.2.0b1',
description='Allows user to add 2FA to their accounts',
long_description=open("README.md").read(),
long_description_content_type="text/markdown",
@@ -25,20 +25,20 @@ setup(
'user-agents',
'python-jose',
'fido2 == 0.9.1',
'jsonLookup'
# 'jsonLookup'
],
python_requires=">=3.5",
include_package_data=True,
zip_safe=False, # because we're including static files
classifiers=[
"Development Status :: 5 - Production/Stable",
"Development Status :: 4 - Beta",
#"Development Status :: 5 - Production/Stable",
"Environment :: Web Environment",
"Framework :: Django",
"Framework :: Django :: 1.11",
"Framework :: Django :: 2.0",
"Framework :: Django :: 2.1",
"Framework :: Django :: 2.2",
"Framework :: Django :: 3.0",
"Framework :: Django :: 3.1",
"Intended Audience :: Developers",
"Operating System :: OS Independent",
"Programming Language :: Python",