search

rbCAS / CASino

CASino is a Ruby-based Single Sign-On solution supporting the CAS standard
MIT License
329 stars 189 forks source link

enforce two-factor usage outside whitelisted ip ranges. #143

Closed senny closed 8 years ago

senny commented 8 years ago

Previously two-factor authentication was an opt-in per user. There are situations where two-factor auth is required to access a system.

This patch adds a configuration option:

  two_factor_authenticator:
    whitelist:
      - 127.0.0.1
      - 192.168.1.0/24
      - ["172.16.10.5", "172.16.10.13"]

This option will enforce two-factor authentication for every login attempt coming from an ip outside the specified whitelist.

An informative text is displayed if the second factor has not been configured yet. The two-factor setup must happen from a whitelisted address.

Note: This might be a niche use-case that only we are facing. I decided to prepare the PR nonetheless and let you decide wether this is something that you might be interested in getting back upstream.

pencil commented 8 years ago

Yeah, this is probably not a very common use case. I would however like a feature that forces users to setup two-factor authentication on first login/before redirecting to the service (regardless of the IP range).