banesullivan
commented
2 years ago @mvandenburgh, this is looking great! I'm curious if there is a setting to require all users to use 2FA - sending them to the 2FA page on signup perhaps?
Closed mvandenburgh closed 2 years ago
banesullivan
commented
2 years ago @mvandenburgh, this is looking great! I'm curious if there is a setting to require all users to use 2FA - sending them to the 2FA page on signup perhaps?
banesullivan
commented
2 years ago Also, is there a way to enforce this on the admin site too?
mvandenburgh
commented
2 years ago @mvandenburgh, this is looking great! I'm curious if there is a setting to require all users to use 2FA - sending them to the 2FA page on signup perhaps?
Yes, this is possible https://django-allauth-2fa.readthedocs.io/en/latest/advanced/#forcing-a-user-to-use-2fa.
Also, is there a way to enforce this on the admin site too?
I think so, I can look into it if you want.
Do you want me to implement these features on this branch?
banesullivan
commented
2 years ago Do you want me to implement these features on this branch?
Yep, if you could do those things here, that would be great!
mvandenburgh
commented
2 years ago @mvandenburgh, this is looking great! I'm curious if there is a setting to require all users to use 2FA - sending them to the 2FA page on signup perhaps?
Also, is there a way to enforce this on the admin site too?
So, it seems the only way to enforce this is to override the admin login page and force admins to login through the default allauth view. From there, they will be required to authenticate with 2FA. Did this in https://github.com/ResonantGeoData/RD-OpenGeo/pull/19/commits/516567c15d7d897a9f2093b3d6021b85c6a79597
banesullivan
commented
2 years ago This is excellent work! Would you please refactor the settings in the form of a composed-configuration "mixin":
e.g. (did it myself b/c I needed to copy this over to another deployment but could you commit it here?):
from composed_configuration import ConfigMixin
class TwoFactorAuthMixin(ConfigMixin):
@staticmethod
def before_binding(configuration: Type[ComposedConfiguration]):
configuration.INSTALLED_APPS += [
# Configure the django-otp package.
'django_otp',
'django_otp.plugins.otp_totp',
'django_otp.plugins.otp_static',
# Enable two-factor auth.
'allauth_2fa',
]
configuration.MIDDLEWARE += [
'django_otp.middleware.OTPMiddleware',
'allauth_2fa.middleware.AllauthTwoFactorMiddleware',
'opengeo.auth.RequireTwoFactorAuthMiddleware',
]
ACCOUNT_ADAPTER = 'opengeo.auth.TwoFactorAuthAdapter'
Then could you also update all of the classes in the settings to use mutate_configuration instead of before_binding per https://github.com/girder/django-composed-configuration/pull/145
banesullivan
commented
2 years ago Further, after logging in for the first time and you have to set up 2FA, could you make it so that there is some sort of link to view the site? See on this page, users have no direct way to go into the app:
banesullivan
commented
2 years ago @mvandenburgh, is this compatible with the Python client? Can you look into that?
mvandenburgh
commented
2 years ago @mvandenburgh, is this compatible with the Python client? Can you look into that?
Not sure, I'm guessing not though. Yes I can look into this
banesullivan
commented
2 years ago Not merging, good to keep as a reference - needed to use LDAP for an internal project that requires 2FA. There is an internal blog on the set up
This PR adds support for two-factor authentication via an authenticator app (like Google Authenticator).
Resolve https://github.com/ResonantGeoData/RGD-ScrumBoard/issues/37
To use:
/accounts/two_factor/setup/after logging in./accounts/two_factor/backup_tokens//accounts/two_factor/remove.