Initial mfa support (for internal users) #93591

Oleg-Komarov · 2024-08-27T13:10:38+02:00

Oleg-Komarov commented

2024-08-27 13:10:38 +02:00

added support for totp, u2f (yubikey) and recovery codes

TODO out of scope for this PR

replace admin login with LoginView
remove SwitchUserView

added support for totp, u2f (yubikey) and recovery codes TODO out of scope for this PR - replace admin login with LoginView - remove SwitchUserView

Oleg-Komarov added 43 commits 2024-08-27 13:10:40 +02:00

wip 0913f60deb

use MfaRequiredIfConfiguredMixin in place of LoginRequiredMixin 935c19f502

mixin to ensure a recent mfa 1277d939f8

draft template 6d094a1a91

placeholder explanation 389d6f52c9

form to disable mfa 8e419948f1

initial recovery codes support ad0cfe9bee

initial totp support 13b856b7cc

without key encryption at rest, reimplement with a custom Device class

delete device button d57b7a651f

forms 144d26eba0

small markup tweak for recovery codes 7d0aa08001

use encrypted storage for mfa secrets 734de7e49c

move forms to mfa app 93f501f289

docs, comments etc 7356a989bf

improve copy ee03f062a4

send email notifications d38eafb7cb

improve presentation f5c1cdc15a

totp setup test 0326c78568

Merge branch 'main' into mfa 631e30d6b7

fix recovery codes counter f8e1655be5

fix EncryptedRecoverDevice + test aeca8ed656

more tests 15f3d6fc5b

add sslserver for testing u2f with devserver 47b042c422

contain signature handling in the form 2d22c25536

register a u2f device 89851cc87e

wip webauthn authenticate a91afd2597

use signed form fields instead of session storage f92acdfc37

improve the bootstrp key comment 8a7b99e678

imporve recovery code warning 1377fcfc47

rename forms 9d92e5f807

rename views and templates for consistency d51d93d839

cancel buttons c3429e0212

basic client-side error handling ac496f040a

add otp_requried decorator for oauth/authorize/ d648135f4a

cleaning up and adding comments 51898e6838

mfa alternatives 1377addf3e

Merge branch 'main' into mfa e442378a03

show mfa button only to internal users 40f6f0555f

some css updates 94df1fcd80

rename for consistency e90e875c1b

more css fixes 89d5268948

simplify include-with f62ea85d1f

remove useless css class f4beaab51e

Anna Sirota reviewed 2024-08-27 14:36:52 +02:00

bid_main/templates/bid_main/emails/mfa_new_device.txt Outdated

						
				@ -0,0 +3,4 @@

				A new {{ device_type }} multi-factor authenticator has been added to your Blender ID account {{ user.email }}

				If this wasn't done by you, please reset your password immediately and contact blenderid@blender.org for support.

Anna Sirota commented

2024-08-27 13:19:00 +02:00

might be out of scope, but setting an ADMIN_EMAIL (like in DevFund) or SUPPORT_EMAIL (not to be confused with builtin settings.ADMINS) configuration variable and passing it to the templates that need it is more maintainable than hard-coding it in multiple files.

might be out of scope, but setting an `ADMIN_EMAIL` (like in DevFund) or `SUPPORT_EMAIL` (not to be confused with builtin `settings.ADMINS`) configuration variable and passing it to the templates that need it is more maintainable than hard-coding it in multiple files.

Oleg-Komarov marked this conversation as resolved

bid_main/templates/bid_main/mfa/setup.html

						
				@ -0,0 +79,4 @@

				  <p>

				    Store your recovery codes safely (e.g. in a password manager or use a printed copy) and don't share them.

				    Each code can be used only once.

				    You can generate a new set of recovery codes at any time, any remaining old codes will become invalidated.

Anna Sirota commented

2024-08-27 13:24:36 +02:00

will become invalidated.

"will be invalided" or "will become invalid"

> will become invalidated. "will be invalided" or "will become invalid"

Oleg-Komarov marked this conversation as resolved

bid_main/views/mfa.py Outdated

						
				@ -0,0 +69,4 @@

				        for device in devices_for_user(self.request.user):

				            device.delete()

				        if self.request.user.confirmed_email_at:

				            bid_main.tasks.send_mfa_disabled_email(self.request.user.pk)

Anna Sirota commented

2024-08-27 13:36:41 +02:00

DevFund and other services use send_mail_* for the most part: it's easier to parse visually

DevFund and other services use `send_mail_*` for the most part: it's easier to parse visually

Oleg-Komarov marked this conversation as resolved

bid_main/views/mfa.py Outdated

						
				@ -0,0 +82,4 @@

				        ):

				            # Forbid setting up recovery codes unless the user already has some other method

				            return HttpResponseBadRequest("can't setup recovery codes before other methods")

				        user.staticdevice_set.all().delete()

Anna Sirota commented

2024-08-27 13:38:05 +02:00

From this line it's not clear that this is recovery codes that are being deleted

Oleg-Komarov marked this conversation as resolved

bid_main/views/mfa.py Outdated

						
				@ -0,0 +94,4 @@

				class InvalidateRecoveryView(mixins.MfaRequiredIfConfiguredMixin, View):

				    def post(self, request, *args, **kwargs):

				        user = self.request.user

				        user.staticdevice_set.all().delete()

Anna Sirota commented

2024-08-27 13:38:37 +02:00

same as above

Oleg-Komarov marked this conversation as resolved

bid_main/views/mfa.py

						
				@ -0,0 +139,4 @@

				class U2fRegisterView(mixins.MfaRequiredIfConfiguredMixin, FormView):

				    form_class = U2fRegisterForm

				    success_url = reverse_lazy('bid_main:mfa')

				    template_name = "bid_main/mfa/u2f_register.html"

Anna Sirota commented

2024-08-27 13:41:02 +02:00

is context['first_device'] = not devices_for_user(self.request.user) necessary here as well?

is `context['first_device'] = not devices_for_user(self.request.user)` necessary here as well?

Oleg-Komarov marked this conversation as resolved

mfa/forms.py

						
				@ -0,0 +132,4 @@

				        self.clean_agent()

				        return self.cleaned_data

				    def save(self):

Anna Sirota commented

2024-08-27 14:30:16 +02:00

might not be necessary at all, since this isn't a ModelForm?

might not be necessary at all, since this isn't a `ModelForm`?

Oleg-Komarov marked this conversation as resolved

Márton Lente added 1 commit 2024-08-27 16:04:36 +02:00

Fix: Template component fields layout checkbox base 9def65b434

Oleg-Komarov added 1 commit 2024-08-29 11:29:06 +02:00

review fixes 585dc35274

Oleg-Komarov added 1 commit 2024-08-29 11:34:17 +02:00

doc update 3439efb9a8

Anna Sirota approved these changes 2024-08-29 11:42:01 +02:00

Anna Sirota left a comment

Awesome sauce 🎉
Great to see long awaited MFA finally happening!

Awesome sauce :tada: Great to see long awaited MFA finally happening!

Oleg-Komarov changed title from ~~WIP: mfa~~ to mfa

2024-08-29 11:42:27 +02:00

Oleg-Komarov changed title from ~~mfa~~ to Initial mfa support (for internal users)

2024-08-29 11:42:48 +02:00

Oleg-Komarov merged commit f37212966f into main

2024-08-29 11:44:06 +02:00

Oleg-Komarov deleted branch mfa

2024-08-29 11:44:06 +02:00

Oleg-Komarov referenced this issue from a commit

2024-08-29 11:44:08 +02:00

Initial mfa support (for internal users) (#93591)

Sign in to join this conversation.

No reviewers

No Label

legacy project

Infrastructure: blender.org

legacy project

Infrastructure: Websites

No Milestone

No project

No Assignees

3 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: infrastructure/blender-id#93591

Download

What's New

Blender Studio

Manual

Developers Blog

Documentation

Benchmark

Blender Conference

Development Fund

One-time Donations

Initial mfa support (for internal users) #93591