Two-Factor Authentication

[WayneLambert]

This issue tracks the implementation of using either a device or email token as a second factor in their multi-factor authentication process.

[WayneLambert]

Features To Include

• [x] Set up a mixin for DeviceAuthUserMixin

• [x] Set up a mixin for EmailAuthUserMixin

• [x] Set up a mixin for TwoFactorAuthUserMixin

• [x] Send an email to the user once they have set up their two-factor authentication

• [x] Set a token_valid_expiration_date

• [x] Set up a pathway redirect upon login that directs an email authenticator to a screen that accepts the email token

• [x] Logic needs to check that the token is within its expiration date (28 days)

• [x] Set up throttling on the user

• [x] Resolve testing issue which emulates a user being verified/authenticated with their second factor.

[WayneLambert]

Testing Scenarios for LoginView

• Scenario 1: The user does not exist (mickey-mouse)

  • [x] Create a helpful message
  • [x] Return them to the login screen with the message presented

• Scenario 2: The user exists but is not set up for 2FA at all (john-terry - 7)

  • [x] Feed through the initial setup process

• Scenario 3: The user exists and is using the device token method of 2FA (james-bond - 62)

  • [x] Offload the implementation to the third-party package
  • [x] Present the user with the screen where they need to enter their device token

• Scenario 4: The user exists and is attempting to 2FA with an expired email token (donald-trump - 66)

  • [x] Redirect the user through the setup process once again. This should give them a new choice of whether to use the device or email method of 2FA.
  • [x] Solution accounts for cases where there are more than one email token in the DB

• Scenario 5: The user exists and uses an unexpired email token as 2FA (bruce-willis - 67)

  • [x] Retreive the token from the DB
  • [x] Send the token to the user
  • [x] Redirect them to the screen where they can enter it

[WayneLambert]

The testing scenarios outlined in this comment have been tested and the code works as expected.

donald-trump now has an entry in the database for a token authentication in addition to an expired email token. How does logging in as donald now work?

[WayneLambert]

The testing scenarios outlined in this comment have been tested and the code works as expected.

donald-trump now has an entry in the database for a token authentication in addition to an expired email token. How does logging in as donald now work?

Due to the hierarchy of logic, Donald is presented with the opportunity to choose their method of 2FA again.

[WayneLambert]

Need to make a decision on how long the token should be valid for weighing security against convenience.

[WayneLambert]

Can I use FormView instead of TemplateView? Or can I manually declare the single form within the post method which would give me access to the form object enabling access to cleaned_data and errors.

[WayneLambert]

Can I use FormView instead of TemplateView? Or can I manually declare the single form within the post method which would give me access to the form object enabling access to cleaned_data and errors.

The post method included an instantiation of the form enabling access to the form data rather than the POST data.

[WayneLambert]

The ProfileView and the ProfileUpdateView are two examples of views that should only be available within the project for users that have two-factor authenticated.

Other examples include the PostUpdateView.

These should be used as the examples to include a custom mixin and for their corresponding tests to be adapted to emulate being two-factor authenticated.

[WayneLambert]

The ProfileView and the ProfileUpdateView are two examples of views that should only be available within the project for users that have two-factor authenticated.

Other examples include the PostUpdateView.

These should be used as the examples to include a custom mixin and for their corresponding tests to be adapted to emulate being two-factor authenticated.

The ProfileView is an example of where multiple permutations of the test has been set up to ensure that the intended outcome happens for each authentication status attempting to access the view.

[WayneLambert]

• [x] Change the max_length attribute of the challenge_token field to 255. Run makemigrations and migrate.
• [x] Remove the import from two_factor.utils import default_device
• [x] Add an image into the email for branding purposes
• [x] For the token submission form, use FormView instead but attempt to use a form that inherits from forms.Form rather than forms.ModelForm. I think using forms.ModelForm is blocking me being able to the FormView.
• [x] Add tests for the ProfileView
• [x] Add tests for the ProfileUpdateView
• [ ] Add tests for the PostCreateView
• [ ] Add tests for the PostUpdateView

[WayneLambert]

• [ ] Build a smaller and more efficient multi-stage Docker image

[WayneLambert]

Replace the django-cryptography package with the django-encrypted-model-fields. This is a more frequently maintained package and will not prevent the upgrade path.