Initial mfa support (for internal users) #93591

Merged
Oleg-Komarov merged 46 commits from mfa into main 2024-08-29 11:44:06 +02:00
3 changed files with 12 additions and 4 deletions
Showing only changes of commit ee03f062a4 - Show all commits

View File

@ -10,9 +10,13 @@ Multi-factor Authentication Setup
{% if user_has_mfa_configured %} {% if user_has_mfa_configured %}
<p> <p>
You have configured MFA for your account. You have configured MFA for your account.
You can disable MFA at any time, but you have to sign-in using your authentication device or a recovery code. You can disable MFA at any time, but you have to pass the verification using your authentication device or a recovery code.
</p>
<p>
Every time you sign-in on a new device you will be asked to pass the MFA verification.
If you use the "remember this device" option, you won't be prompted for MFA verification for that device in the next {{ agent_trust_days }} days.
Verification also expires after {{ agent_inactivity_days }} days of inactivity.
</p> </p>
<p>TODO explain remember me and trusted days</p>
<div> <div>
<a class="btn btn-danger" href="{% url 'bid_main:mfa_disable' %}">Disable</a> <a class="btn btn-danger" href="{% url 'bid_main:mfa_disable' %}">Disable</a>
</div> </div>

View File

@ -2,6 +2,7 @@ from base64 import b32encode, b64encode
from binascii import unhexlify from binascii import unhexlify
from io import BytesIO from io import BytesIO
from django.conf import settings
from django.db import transaction from django.db import transaction
from django.http import Http404, HttpResponseBadRequest from django.http import Http404, HttpResponseBadRequest
from django.shortcuts import redirect from django.shortcuts import redirect
@ -37,6 +38,8 @@ class MfaView(mixins.MfaRequiredIfConfiguredMixin, TemplateView):
if devices_per_category.keys() - {'recovery'}: if devices_per_category.keys() - {'recovery'}:
user_can_setup_recovery = True user_can_setup_recovery = True
return { return {
'agent_inactivity_days': settings.AGENT_INACTIVITY_DAYS,
'agent_trust_days': settings.AGENT_TRUST_DAYS,
'devices_per_category': devices_per_category, 'devices_per_category': devices_per_category,
'recovery_codes': recovery_codes, 'recovery_codes': recovery_codes,
'user_can_setup_recovery': user_can_setup_recovery, 'user_can_setup_recovery': user_can_setup_recovery,

View File

@ -1,6 +1,7 @@
from binascii import unhexlify from binascii import unhexlify
from django import forms from django import forms
from django.conf import settings
from django.core.signing import BadSignature, TimestampSigner from django.core.signing import BadSignature, TimestampSigner
from django.core.validators import RegexValidator from django.core.validators import RegexValidator
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
@ -44,8 +45,8 @@ class MfaForm(OTPTokenForm):
otp_trust_agent = self.fields["otp_trust_agent"] otp_trust_agent = self.fields["otp_trust_agent"]
otp_trust_agent.help_text = _( otp_trust_agent.help_text = _(
"We won't ask for MFA next time you sign-in on this device. " f"We won't ask for MFA on this device in the next {settings.AGENT_TRUST_DAYS} days. "
"Use only on your private device." f"Use only on your private device."
) )
otp_trust_agent.initial = False otp_trust_agent.initial = False
otp_trust_agent.label = _("Remember this device") otp_trust_agent.label = _("Remember this device")