As a developer, I want to ensure that views under some URL path are protected with multi-factor authentication. For example, I want everything under /admin/ to be protected with MFA. When the user hasn't provided MFA credentials since they logged in, they're redirected to a view where they can provide an TOTP token, backup code, or WebAuthN. After a successful verification, they're then redirected to the originally requested page.
This ticket likely requires #68 before it can be implemented.
Implementation idea
One way I can imagine this to work, is a middleware that looks at the current request path and compares it to a list (or rather set) of paths or a set of regex patterns. Something along these lines:
MFA_URLS = {"/my-view/", "/another/path/to/a/view"}
MFA_REGEX_PATTERNS = [r"^/admin/", r"^/internal/.+/something/$"]
def ensure_mfa_middleware(get_response):
regex = re.compile(r"|".join(MFA_REGEX_PATTERNS))
def middleware(request):
if not request.session.get("kagi_verified", False): # See #68
if request.path in MFA_URLS or regex.match(request.path):
return redirect("kagi:verify-second-factor")
response = get_response(request)
return response
return middleware
This is a feature request that stems from #60.
Feature request
As a developer, I want to ensure that views under some URL path are protected with multi-factor authentication. For example, I want everything under
/admin/to be protected with MFA. When the user hasn't provided MFA credentials since they logged in, they're redirected to a view where they can provide an TOTP token, backup code, or WebAuthN. After a successful verification, they're then redirected to the originally requested page.This ticket likely requires #68 before it can be implemented.
Implementation idea
One way I can imagine this to work, is a middleware that looks at the current request path and compares it to a list (or rather set) of paths or a set of regex patterns. Something along these lines: