2024-08-29 11:44:06 +02:00
3 changed files with 12 additions and 4 deletions
--- a/bid_main/templates/bid_main/mfa/setup.html
+++ b/bid_main/templates/bid_main/mfa/setup.html
@ -10,9 +10,13 @@ Multi-factor Authentication Setup
  {% if user_has_mfa_configured %}
  <p>
    You have configured MFA for your account.
-    You can disable MFA at any time, but you have to sign-in using your authentication device or a recovery code.
+    You can disable MFA at any time, but you have to pass the verification using your authentication device or a recovery code.
+  </p>
+  <p>
+    Every time you sign-in on a new device you will be asked to pass the MFA verification.
+    If you use the "remember this device" option, you won't be prompted for MFA verification for that device in the next {{ agent_trust_days }} days.
+    Verification also expires after {{ agent_inactivity_days }} days of inactivity.
  </p>
-  <p>TODO explain remember me and trusted days</p>
  <div>
    <a class="btn btn-danger" href="{% url 'bid_main:mfa_disable' %}">Disable</a>
  </div>
--- a/bid_main/views/mfa.py
+++ b/bid_main/views/mfa.py
@ -2,6 +2,7 @@ from base64 import b32encode, b64encode
 from binascii import unhexlify
 from io import BytesIO

+from django.conf import settings
 from django.db import transaction
 from django.http import Http404, HttpResponseBadRequest
 from django.shortcuts import redirect
@ -37,6 +38,8 @@ class MfaView(mixins.MfaRequiredIfConfiguredMixin, TemplateView):
        if devices_per_category.keys() - {'recovery'}:
            user_can_setup_recovery = True
        return {
+            'agent_inactivity_days': settings.AGENT_INACTIVITY_DAYS,
+            'agent_trust_days': settings.AGENT_TRUST_DAYS,
            'devices_per_category': devices_per_category,
            'recovery_codes': recovery_codes,
            'user_can_setup_recovery': user_can_setup_recovery,
--- a/mfa/forms.py
+++ b/mfa/forms.py
@ -1,6 +1,7 @@
 from binascii import unhexlify

 from django import forms
+from django.conf import settings
 from django.core.signing import BadSignature, TimestampSigner
 from django.core.validators import RegexValidator
 from django.utils.translation import gettext_lazy as _
@ -44,8 +45,8 @@ class MfaForm(OTPTokenForm):

        otp_trust_agent = self.fields["otp_trust_agent"]
        otp_trust_agent.help_text = _(
-            "We won't ask for MFA next time you sign-in on this device. "
-            "Use only on your private device."
+            f"We won't ask for MFA on this device in the next {settings.AGENT_TRUST_DAYS} days. "
+            f"Use only on your private device."
        )
        otp_trust_agent.initial = False
        otp_trust_agent.label = _("Remember this device")