2024-08-29 11:44:06 +02:00
9 changed files with 145 additions and 2 deletions
--- a/bid_main/email.py
+++ b/bid_main/email.py
@ -282,3 +282,40 @@ def construct_password_changed(user):
    subject = "Security alert: password changed"

    return email_body_txt, subject
+
+
+def construct_new_mfa_device(user, device_type):
+    context = {
+        "device_type": device_type,
+        "user": user,
+    }
+    email_body_txt = loader.render_to_string(
+        "bid_main/emails/new_mfa_device.txt", context
+    )
+    subject = "Security alert: a new multi-factor authentication device added"
+
+    return email_body_txt, subject
+
+
+def construct_mfa_disabled(user):
+    context = {
+        "user": user,
+    }
+    email_body_txt = loader.render_to_string(
+        "bid_main/emails/mfa_disabled.txt", context
+    )
+    subject = "Security alert: multi-factor authentication disabled"
+
+    return email_body_txt, subject
+
+
+def construct_mfa_recovery_used(user):
+    context = {
+        "user": user,
+    }
+    email_body_txt = loader.render_to_string(
+        "bid_main/emails/mfa_recovery_used.txt", context
+    )
+    subject = "Security alert: recovery code used"
+
+    return email_body_txt, subject
--- a/bid_main/signals.py
+++ b/bid_main/signals.py
@ -7,6 +7,7 @@ from django.db.models.signals import m2m_changed, post_delete
 from django.dispatch import receiver

 from . import models
+from mfa.signals import recovery_used
 import bid_main.utils as utils
 import bid_main.file_utils
 import bid_main.tasks
@ -79,3 +80,10 @@ def delete_orphaned_avatar_files(sender, instance, **kwargs):
        return

    bid_main.file_utils.delete_avatar_files(instance.avatar.name)
+
+
+@receiver(recovery_used)
+def send_mfa_recovery_used_email(sender, **kwargs):
+    user = kwargs['device'].user
+    if user.confirmed_email_at:
+        bid_main.tasks.send_mfa_recovery_used_email(user.pk)
--- a/bid_main/tasks.py
+++ b/bid_main/tasks.py
@ -43,3 +43,54 @@ def send_password_changed_email(user_pk):
        from_email=None,  # just use the configured default From-address.
        recipient_list=[email],
    )
+
+
+@background(schedule={'action': TaskSchedule.RESCHEDULE_EXISTING})
+def send_new_mfa_device_email(user_pk, device_type):
+    user = User.objects.get(pk=user_pk)
+    log.info("sending a new mfa device email for account %s", user.pk)
+
+    # sending only a text/plain email to reduce the room for look-alike phishing emails
+    email_body_txt, subject = bid_main.email.construct_new_mfa_device(user, device_type)
+
+    email = user.email
+    send_mail(
+        subject=subject,
+        message=email_body_txt,
+        from_email=None,  # just use the configured default From-address.
+        recipient_list=[email],
+    )
+
+
+@background(schedule={'action': TaskSchedule.RESCHEDULE_EXISTING})
+def send_mfa_disabled_email(user_pk):
+    user = User.objects.get(pk=user_pk)
+    log.info("sending an mfa disabled email for account %s", user.pk)
+
+    # sending only a text/plain email to reduce the room for look-alike phishing emails
+    email_body_txt, subject = bid_main.email.construct_mfa_disabled(user)
+
+    email = user.email
+    send_mail(
+        subject=subject,
+        message=email_body_txt,
+        from_email=None,  # just use the configured default From-address.
+        recipient_list=[email],
+    )
+
+
+@background(schedule={'action': TaskSchedule.RESCHEDULE_EXISTING})
+def send_mfa_recovery_used_email(user_pk):
+    user = User.objects.get(pk=user_pk)
+    log.info("sending an mfa recovery used email for account %s", user.pk)
+
+    # sending only a text/plain email to reduce the room for look-alike phishing emails
+    email_body_txt, subject = bid_main.email.construct_mfa_recovery_used(user)
+
+    email = user.email
+    send_mail(
+        subject=subject,
+        message=email_body_txt,
+        from_email=None,  # just use the configured default From-address.
+        recipient_list=[email],
+    )
--- a/bid_main/templates/bid_main/emails/mfa_disabled.txt
+++ b/bid_main/templates/bid_main/emails/mfa_disabled.txt
@ -0,0 +1,9 @@
+{% autoescape off %}
+Dear {{ user.full_name|default:user.email }}!
+
+Multi-factor authentication has been disabled for your Blender ID account {{ user.email }}
+
+--
+Kind regards,
+The Blender Web Team
+{% endautoescape %}
--- a/bid_main/templates/bid_main/emails/mfa_recovery_used.txt
+++ b/bid_main/templates/bid_main/emails/mfa_recovery_used.txt
@ -0,0 +1,11 @@
+{% autoescape off %}
+Dear {{ user.full_name|default:user.email }}!
+
+A recovery code was used to pass multi-factor authentication for your Blender ID account {{ user.email }}
+
+If this wasn't done by you, please reset your password immediately, re-generate your MFA recovery codes, and contact blenderid@blender.org for support.
+
+--
+Kind regards,
+The Blender Web Team
+{% endautoescape %}
--- a/bid_main/templates/bid_main/emails/new_mfa_device.txt
+++ b/bid_main/templates/bid_main/emails/new_mfa_device.txt
@ -0,0 +1,11 @@
+{% autoescape off %}
+Dear {{ user.full_name|default:user.email }}!
+
+A new {{ device_type }} multi-factor authenticator has been added to your Blender ID account {{ user.email }}
+
+If this wasn't done by you, please reset your password immediately and contact blenderid@blender.org for support.
+
+--
+Kind regards,
+The Blender Web Team
+{% endautoescape %}
--- a/bid_main/views/mfa.py
+++ b/bid_main/views/mfa.py
@ -17,6 +17,7 @@ import qrcode
 from . import mixins
 from mfa.forms import DisableMfaForm, TotpMfaForm
 from mfa.models import EncryptedRecoveryDevice, EncryptedTOTPDevice, devices_for_user
+import bid_main.tasks


 class MfaView(mixins.MfaRequiredIfConfiguredMixin, TemplateView):
@ -56,6 +57,8 @@ class DisableView(mixins.MfaRequiredMixin, FormView):
    def form_valid(self, form):
        for device in devices_for_user(self.request.user):
            device.delete()
+        if self.request.user.confirmed_email_at:
+            bid_main.tasks.send_mfa_disabled_email(self.request.user.pk)
        return super().form_valid(form)


@ -118,8 +121,11 @@ class TotpView(mixins.MfaRequiredIfConfiguredMixin, FormView):
        context['first_device'] = not devices_for_user(self.request.user)
        return context

+    @transaction.atomic
    def form_valid(self, form):
        form.save()
+        if self.request.user.confirmed_email_at:
+            bid_main.tasks.send_new_mfa_device_email(self.request.user.pk, 'totp')
        return super().form_valid(form)


--- a/mfa/models.py
+++ b/mfa/models.py
@ -10,11 +10,13 @@ the upstream implementation as much as possible.

 from binascii import unhexlify

-from django.db import models
+from django.db import models, transaction
 from django_otp.plugins.otp_static.models import StaticDevice
 from django_otp.plugins.otp_totp.models import TOTPDevice
 from nacl_encrypted_fields.fields import NaClCharField

+from mfa.signals import recovery_used
+

 class EncryptedRecoveryDevice(StaticDevice):
    """Using a proxy model and pretending that upstream StaticToken does not exist."""
@ -22,8 +24,12 @@ class EncryptedRecoveryDevice(StaticDevice):
        abstract = False
        proxy = True

+    @transaction.atomic
    def verify_token(self, token):
-        """Copy-pasted verbatim from StaticDevice, replacing token_set with encryptedtoken_set."""
+        """Copy-pasted verbatim from StaticDevice, replacing token_set with encryptedtoken_set.
+
+        Also added a signal for email notification.
+        """
        verify_allowed, _ = self.verify_is_allowed()
        if verify_allowed:
            match = self.encryptedtoken_set.filter(encrypted_token=token).first()
@ -32,6 +38,7 @@ class EncryptedRecoveryDevice(StaticDevice):
                self.throttle_reset(commit=False)
                self.set_last_used_timestamp(commit=False)
                self.save()
+                recovery_used.send(EncryptedRecoveryDevice, device=self)
            else:
                self.throttle_increment()
        else:
--- a/mfa/signals.py
+++ b/mfa/signals.py
@ -0,0 +1,3 @@
+from django.dispatch import Signal
+
+recovery_used = Signal()