josh/django-mfa2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: josh:v2.6.1
Branches Tags
josh:master josh:black josh:dev josh:dependabot/pip/fido2-1.1.1 josh:ConditionalUI josh:v3.0 josh:MoreOptions josh:CVE-2022-42731 josh:v2.5.2 josh:v2.6.1 josh:v2.5.1 josh:recovery_codes josh:v2.6.0 josh:v2.6.0rc1 josh:v2.5b2 josh:v2.5b1 josh:fido==1.0.0 josh:v2.5 josh:ResidentKey josh:v2.4.0 josh:v2.3.0 josh:v2.2.1 josh:Better_TOTP josh:v2.2.0 josh:passwordless josh:redirect josh:Postgres josh:Issue_37 josh:TouchID_4_1.8 josh:TouchID josh:django-1.8 josh:example
josh:v2.8 josh:v2.6.1-release josh:v2.5.1-release josh:v2.6.0-release josh:v2.6rc1 josh:v2.5 josh:v2.5b1 josh:v2.4.0 josh:v2.3.0 josh:v2.2.0 josh:v2.1.0 josh:v2.1.0b1 josh:v2.0.5 josh:v2.0.3 josh:v2.0.1 josh:v2.0 josh:v1.9 josh:v1.7.11 josh:v1.6 josh:v1.3 josh:v1.1.6 josh:v1.1 josh:v1.0.4 josh:0.9
..
compare: josh:v2.6rc1
Branches Tags
josh:master josh:black josh:dev josh:dependabot/pip/fido2-1.1.1 josh:ConditionalUI josh:v3.0 josh:MoreOptions josh:CVE-2022-42731 josh:v2.5.2 josh:v2.6.1 josh:v2.5.1 josh:recovery_codes josh:v2.6.0 josh:v2.6.0rc1 josh:v2.5b2 josh:v2.5b1 josh:fido==1.0.0 josh:v2.5 josh:ResidentKey josh:v2.4.0 josh:v2.3.0 josh:v2.2.1 josh:Better_TOTP josh:v2.2.0 josh:passwordless josh:redirect josh:Postgres josh:Issue_37 josh:TouchID_4_1.8 josh:TouchID josh:django-1.8 josh:example
josh:v2.8 josh:v2.6.1-release josh:v2.5.1-release josh:v2.6.0-release josh:v2.6rc1 josh:v2.5 josh:v2.5b1 josh:v2.4.0 josh:v2.3.0 josh:v2.2.0 josh:v2.1.0 josh:v2.1.0b1 josh:v2.0.5 josh:v2.0.3 josh:v2.0.1 josh:v2.0 josh:v1.9 josh:v1.7.11 josh:v1.6 josh:v1.3 josh:v1.1.6 josh:v1.1 josh:v1.0.4 josh:0.9

21 Commits
v2.6.1 ... v2.6rc1

Author SHA1 Message Date
Mohamed ElKalioby
cf527d9c26 Minor Fixes 2022-09-11 09:49:55 +03:00
Spitap
b96319c7b8 cursor pointer to toolbtn class, added to totp copy 2022-09-07 17:39:11 +02:00
Spitap
04938855bb Allow one-click copy totp secret 2022-09-07 17:32:00 +02:00
Spitap
a702739d01 Documentation changes, test_db to .gitignore 2022-09-07 17:17:25 +02:00
Mohamed ElKalioby
dcd962ad16 Added Enforce Recovery Method 2022-09-07 11:53:26 +03:00
Mohamed ElKalioby
e42770e852 Added MFRENAMEMETHOD, MFA_REDIRECT_USER_TO_LAST_METHOD, Alot of theme fixes 2022-09-07 09:30:23 +03:00
Spitap
1da193f34b More cleaning, better UX 2022-08-31 21:23:40 +02:00
Spitap
d0113dd2cc Fixes and applied comments 2022-08-31 21:13:15 +02:00
Spitap
cf4f6ed224 Cleaned recovery module a bit 2022-08-31 17:10:49 +02:00
Mohamed ElKalioby
de5808e998 Fix issue in methods page text 2022-08-31 16:52:35 +03:00
Mohamed ElKalioby
fe433dee7b updating Changelog 2022-08-31 16:50:38 +03:00
Mohamed ElKalioby
598968bc92 Recovery Codes Work in Progress 2022-08-31 16:43:44 +03:00
Spitap
91e44a78c1 Removed soft generation for tokens 2022-08-25 19:50:35 +02:00
Spitap
98ca5e972d recovery code hashing 2022-08-25 19:19:30 +02:00
Spitap
fe06e4a34d Fixed token gen bug, simplify session validation 2022-08-23 09:52:06 +02:00
Spitap
bcf3ecc15c Fixed generation issue, warning when user uses its last backup code 2022-08-22 12:15:08 +02:00
Spitap
dda23b35cb Edited readme, improved frontend 2022-08-20 20:52:10 +02:00
Spitap
43e33c1a12 fixed some bugs 2022-08-20 20:17:29 +02:00
Spitap
e06bd4d176 updated requierments 2022-08-20 20:09:14 +02:00
Spitap
98e9df8a23 Use only one key/user for backup codes, better UX, handle recovery mode deactivation 2022-08-20 20:07:36 +02:00
Spitap
3ac893ad50 recovery codes 2022-08-20 11:58:25 +02:00
4 changed files with 5 additions and 17 deletions
Expand all files Collapse all files

10
CHANGELOG.md
View File

@@ -1,13 +1,5 @@
# Change Log # Change Log
## 2.6.1 ## 2.6.0 (dev)
* Fix: CVE-2022-42731: related to the possibility of registration replay attack.
Thanks to 'SSE (Secure Systems Engineering)'
## 2.5.1
* Fix: CVE-2022-42731: related to the possibility of registration replay attack.
Thanks to 'SSE (Secure Systems Engineering)'
## 2.6.0
* Adding Backup Recovery Codes (Recovery) as a method. * Adding Backup Recovery Codes (Recovery) as a method.
Thanks to @Spitfireap for work, and @peterthomassen for guidance. Thanks to @Spitfireap for work, and @peterthomassen for guidance.
* Added: `RECOVERY_ITERATION` to set the number of iteration when hashing recovery token * Added: `RECOVERY_ITERATION` to set the number of iteration when hashing recovery token

2
README.md
View File

@@ -196,8 +196,6 @@ function some_func() {
* [AndreasDickow](https://github.com/AndreasDickow) * [AndreasDickow](https://github.com/AndreasDickow)
* [mnelson4](https://github.com/mnelson4) * [mnelson4](https://github.com/mnelson4)
* [ezrajrice](https://github.com/ezrajrice) * [ezrajrice](https://github.com/ezrajrice)
* [Spitfireap](https://github.com/Spitfireap)
* [peterthomassen](https://github.com/peterthomassen)
# Security contact information # Security contact information

8
mfa/FIDO2.py
View File

@@ -16,7 +16,7 @@ from .views import login, reset_cookie
import datetime import datetime
from .Common import get_redirect_url from .Common import get_redirect_url
from django.utils import timezone from django.utils import timezone
from django.http import JsonResponse
def recheck(request): def recheck(request):
"""Starts FIDO2 recheck""" """Starts FIDO2 recheck"""
@@ -49,15 +49,13 @@ def begin_registeration(request):
def complete_reg(request): def complete_reg(request):
"""Completes the registeration, called by API""" """Completes the registeration, called by API"""
try: try:
if not "fido_state" in request.session:
return JsonResponse({'status': 'ERR', "message": "FIDO Status can't be found, please try again"})
data = cbor.decode(request.body) data = cbor.decode(request.body)
client_data = CollectedClientData(data['clientDataJSON']) client_data = CollectedClientData(data['clientDataJSON'])
att_obj = AttestationObject((data['attestationObject'])) att_obj = AttestationObject((data['attestationObject']))
server = getServer() server = getServer()
auth_data = server.register_complete( auth_data = server.register_complete(
request.session.pop('fido_state'), request.session['fido_state'],
client_data, client_data,
att_obj att_obj
) )
@@ -81,7 +79,7 @@ def complete_reg(request):
client.captureException() client.captureException()
except: except:
pass pass
return JsonResponse({'status': 'ERR', "message": "Error on server, please try again later"}) return HttpResponse(simplejson.dumps({'status': 'ERR', "message": "Error on server, please try again later"}))
def start(request): def start(request):

2
setup.py
View File

@@ -4,7 +4,7 @@ from setuptools import find_packages, setup
setup( setup(
name='django-mfa2', name='django-mfa2',
version='2.6.1', version='2.5.0',
description='Allows user to add 2FA to their accounts', description='Allows user to add 2FA to their accounts',
long_description=open("README.md").read(), long_description=open("README.md").read(),
long_description_content_type="text/markdown", long_description_content_type="text/markdown",