bid_main/email.py

@@ -282,3 +282,40 @@ def construct_password_changed(user):
     subject = "Security alert: password changed"
 
     return email_body_txt, subject
+
+
+def construct_new_mfa_device(user, device_type):
+    context = {
+        "device_type": device_type,
+        "user": user,
+    }
+    email_body_txt = loader.render_to_string(
+        "bid_main/emails/new_mfa_device.txt", context
+    )
+    subject = "Security alert: a new multi-factor authentication device added"
+
+    return email_body_txt, subject
+
+
+def construct_mfa_disabled(user):
+    context = {
+        "user": user,
+    }
+    email_body_txt = loader.render_to_string(
+        "bid_main/emails/mfa_disabled.txt", context
+    )
+    subject = "Security alert: multi-factor authentication disabled"
+
+    return email_body_txt, subject
+
+
+def construct_mfa_recovery_used(user):
+    context = {
+        "user": user,
+    }
+    email_body_txt = loader.render_to_string(
+        "bid_main/emails/mfa_recovery_used.txt", context
+    )
+    subject = "Security alert: recovery code used"
+
+    return email_body_txt, subject

bid_main/signals.py

@@ -7,6 +7,7 @@ from django.db.models.signals import m2m_changed, post_delete
 from django.dispatch import receiver
 
 from . import models
+from mfa.signals import recovery_used
 import bid_main.utils as utils
 import bid_main.file_utils
 import bid_main.tasks
@@ -79,3 +80,10 @@ def delete_orphaned_avatar_files(sender, instance, **kwargs):
         return
 
     bid_main.file_utils.delete_avatar_files(instance.avatar.name)
+
+
+@receiver(recovery_used)
+def send_mfa_recovery_used_email(sender, **kwargs):
+    user = kwargs['device'].user
+    if user.confirmed_email_at:
+        bid_main.tasks.send_mfa_recovery_used_email(user.pk)

bid_main/tasks.py

@@ -43,3 +43,54 @@ def send_password_changed_email(user_pk):
         from_email=None,  # just use the configured default From-address.
         recipient_list=[email],
     )
+
+
+@background(schedule={'action': TaskSchedule.RESCHEDULE_EXISTING})
+def send_new_mfa_device_email(user_pk, device_type):
+    user = User.objects.get(pk=user_pk)
+    log.info("sending a new mfa device email for account %s", user.pk)
+
+    # sending only a text/plain email to reduce the room for look-alike phishing emails
+    email_body_txt, subject = bid_main.email.construct_new_mfa_device(user, device_type)
+
+    email = user.email
+    send_mail(
+        subject=subject,
+        message=email_body_txt,
+        from_email=None,  # just use the configured default From-address.
+        recipient_list=[email],
+    )
+
+
+@background(schedule={'action': TaskSchedule.RESCHEDULE_EXISTING})
+def send_mfa_disabled_email(user_pk):
+    user = User.objects.get(pk=user_pk)
+    log.info("sending an mfa disabled email for account %s", user.pk)
+
+    # sending only a text/plain email to reduce the room for look-alike phishing emails
+    email_body_txt, subject = bid_main.email.construct_mfa_disabled(user)
+
+    email = user.email
+    send_mail(
+        subject=subject,
+        message=email_body_txt,
+        from_email=None,  # just use the configured default From-address.
+        recipient_list=[email],
+    )
+
+
+@background(schedule={'action': TaskSchedule.RESCHEDULE_EXISTING})
+def send_mfa_recovery_used_email(user_pk):
+    user = User.objects.get(pk=user_pk)
+    log.info("sending an mfa recovery used email for account %s", user.pk)
+
+    # sending only a text/plain email to reduce the room for look-alike phishing emails
+    email_body_txt, subject = bid_main.email.construct_mfa_recovery_used(user)
+
+    email = user.email
+    send_mail(
+        subject=subject,
+        message=email_body_txt,
+        from_email=None,  # just use the configured default From-address.
+        recipient_list=[email],
+    )

bid_main/templates/bid_main/emails/mfa_disabled.txt

@@ -0,0 +1,9 @@
+{% autoescape off %}
+Dear {{ user.full_name|default:user.email }}!
+
+Multi-factor authentication has been disabled for your Blender ID account {{ user.email }}
+
+--
+Kind regards,
+The Blender Web Team
+{% endautoescape %}

bid_main/templates/bid_main/emails/mfa_recovery_used.txt

@@ -0,0 +1,11 @@
+{% autoescape off %}
+Dear {{ user.full_name|default:user.email }}!
+
+A recovery code was used to pass multi-factor authentication for your Blender ID account {{ user.email }}
+
+If this wasn't done by you, please reset your password immediately, re-generate your MFA recovery codes, and contact blenderid@blender.org for support.
+
+--
+Kind regards,
+The Blender Web Team
+{% endautoescape %}

bid_main/templates/bid_main/emails/new_mfa_device.txt

@@ -0,0 +1,11 @@
+{% autoescape off %}
+Dear {{ user.full_name|default:user.email }}!
+
+A new {{ device_type }} multi-factor authenticator has been added to your Blender ID account {{ user.email }}
+
+If this wasn't done by you, please reset your password immediately and contact blenderid@blender.org for support.
+
+--
+Kind regards,
+The Blender Web Team
+{% endautoescape %}

bid_main/views/mfa.py

@@ -17,6 +17,7 @@ import qrcode
 from . import mixins
 from mfa.forms import DisableMfaForm, TotpMfaForm
 from mfa.models import EncryptedRecoveryDevice, EncryptedTOTPDevice, devices_for_user
+import bid_main.tasks
 
 
 class MfaView(mixins.MfaRequiredIfConfiguredMixin, TemplateView):
@@ -56,6 +57,8 @@ class DisableView(mixins.MfaRequiredMixin, FormView):
     def form_valid(self, form):
         for device in devices_for_user(self.request.user):
             device.delete()
+        if self.request.user.confirmed_email_at:
+            bid_main.tasks.send_mfa_disabled_email(self.request.user.pk)
         return super().form_valid(form)
 
 
@@ -118,8 +121,11 @@ class TotpView(mixins.MfaRequiredIfConfiguredMixin, FormView):
         context['first_device'] = not devices_for_user(self.request.user)
         return context
 
+    @transaction.atomic
     def form_valid(self, form):
         form.save()
+        if self.request.user.confirmed_email_at:
+            bid_main.tasks.send_new_mfa_device_email(self.request.user.pk, 'totp')
         return super().form_valid(form)
 
 

mfa/models.py

@@ -10,11 +10,13 @@ the upstream implementation as much as possible.
 
 from binascii import unhexlify
 
-from django.db import models
+from django.db import models, transaction
 from django_otp.plugins.otp_static.models import StaticDevice
 from django_otp.plugins.otp_totp.models import TOTPDevice
 from nacl_encrypted_fields.fields import NaClCharField
 
+from mfa.signals import recovery_used
+
 
 class EncryptedRecoveryDevice(StaticDevice):
     """Using a proxy model and pretending that upstream StaticToken does not exist."""
@@ -22,8 +24,12 @@ class EncryptedRecoveryDevice(StaticDevice):
         abstract = False
         proxy = True
 
+    @transaction.atomic
     def verify_token(self, token):
-        """Copy-pasted verbatim from StaticDevice, replacing token_set with encryptedtoken_set."""
+        """Copy-pasted verbatim from StaticDevice, replacing token_set with encryptedtoken_set.
+
+        Also added a signal for email notification.
+        """
         verify_allowed, _ = self.verify_is_allowed()
         if verify_allowed:
             match = self.encryptedtoken_set.filter(encrypted_token=token).first()
@@ -32,6 +38,7 @@ class EncryptedRecoveryDevice(StaticDevice):
                 self.throttle_reset(commit=False)
                 self.set_last_used_timestamp(commit=False)
                 self.save()
+                recovery_used.send(EncryptedRecoveryDevice, device=self)
             else:
                 self.throttle_increment()
         else:

mfa/signals.py

@@ -0,0 +1,3 @@
+from django.dispatch import Signal
+
+recovery_used = Signal()