Merge pull request #190 from bornhack/2-factor-auth

2 factor auth

src/bornhack/settings.py

@@ -28,6 +28,8 @@ WSGI_APPLICATION = 'bornhack.wsgi.application'
 ASGI_APPLICATION = 'bornhack.routing.application'
 ROOT_URLCONF = 'bornhack.urls'
 
+ACCOUNT_ADAPTER = 'allauth_2fa.adapter.OTPAdapter'
+
 SITE_ID = 1
 
 ADMINS = (
@@ -70,6 +72,10 @@ INSTALLED_APPS = [
 
     'allauth',
     'allauth.account',
+    'allauth_2fa',
+    'django_otp',
+    'django_otp.plugins.otp_totp',
+    'django_otp.plugins.otp_static',
     'bootstrap3',
     'django_extensions',
     'reversion',
@@ -134,6 +140,7 @@ MIDDLEWARE = [
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django_otp.middleware.OTPMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
 ]

src/bornhack/urls.py

@@ -1,22 +1,22 @@
-from django.urls import include, path
+from allauth.account.views import LoginView, LogoutView
+from django.conf.urls import include
 from django.contrib import admin
-from django.conf import settings
+from django.contrib.auth.decorators import login_required
+from django.urls import path
 from django.views.decorators.csrf import csrf_exempt
-
-from allauth.account.views import (
-    LoginView,
-    LogoutView,
-)
 from graphene_django.views import GraphQLView
 
+from bar.views import MenuView
 from camps.views import *
 from feedback.views import FeedbackCreate
 from info.views import *
-from villages.views import *
+from people.views import *
 from program.views import *
 from sponsors.views import *
-from people.views import *
-from bar.views import MenuView
+from villages.views import *
+
+# require 2fa token entry (if enabled on admin account) when logging into /admin by using allauth login form
+admin.site.login = login_required(admin.site.login)
 
 urlpatterns = [
     path(
@@ -66,6 +66,7 @@ urlpatterns = [
         name='general-terms'
     ),
     path('accounts/', include('allauth.urls')),
+    path('accounts/', include('allauth_2fa.urls')),
     path('admin/', admin.site.urls),
 
     # We don't need CSRF checks for the API

src/profiles/templates/allauth_2fa/authenticate.html

@@ -0,0 +1,24 @@
+{% extends 'base.html' %}
+
+{% load bootstrap3 %}
+{% load i18n %}
+
+{% block content %}
+  <div class="row">
+    <div class="col-md-6 col-md-offset-3">
+      <h1 class="text-center">
+        {% trans "Two-Factor Authentication" %}
+      </h1>
+
+      <form method="post">
+        {% csrf_token %}
+        {% bootstrap_form form %}
+
+        <button type="submit"
+                class="btn btn-black form-control">
+          {% trans 'Authenticate' %}
+        </button>
+      </form>
+    </div>
+  </div>
+{% endblock %}

src/profiles/templates/allauth_2fa/backup_tokens.html

@@ -0,0 +1,35 @@
+{% extends 'profile_base.html' %}
+
+{% load account %}
+{% load bootstrap3 %}
+{% load i18n %}
+
+{% block profile_content %}
+  <div class="row">
+    <div class="col-md-12">
+      <h1>
+        {% trans "Two-Factor Authentication Backup Tokens" %}
+      </h1>
+
+      <ul>
+        {% for token in backup_tokens %}
+        <li>{{ token.token }}</li>
+
+        {% empty %}
+        {% trans 'No tokens. Press the button below to generate some.' %}
+
+        {% endfor %}
+      </ul>
+
+      <form method="post">
+        {% csrf_token %}
+        <div class="buttonHolder">
+          <button class="btn btn-black" type="submit">
+          {% trans 'Generate backup tokens' %}
+          </button>
+          <a class="btn btn-warning" href="{% url 'two-factor-remove' %}">Disable Two-Factor</a>
+        </div>
+      </form>
+    </div>
+  </div>
+{% endblock %}

src/profiles/templates/allauth_2fa/remove.html

@@ -0,0 +1,24 @@
+{% extends 'profile_base.html' %}
+
+{% load account %}
+{% load bootstrap3 %}
+{% load i18n %}
+
+{% block profile_content %}
+  <div class="row">
+    <div class="col-md-12">
+      <h1>
+        {% trans "Disable Two-Factor Authentication" %}
+      </h1>
+
+      <p>{% trans "Are you sure?" %}</p>
+
+      <form method="post">
+        {% csrf_token %}
+        <button class="btn btn-danger" type="submit">
+          {% trans 'Disable Two-Factor' %}
+        </button>
+      </form>
+    </div>
+  </div>
+{% endblock %}

src/profiles/templates/allauth_2fa/setup.html

@@ -0,0 +1,41 @@
+{% extends 'profile_base.html' %}
+
+{% load account %}
+{% load bootstrap3 %}
+{% load i18n %}
+
+{% block profile_content %}
+  <div class="row">
+    <div class="col-md-12">
+      <h1>
+        {% trans "Setup Two-Factor Authentication" %}
+      </h1>
+
+      <h4>
+        {% trans 'Step 1' %}:
+      </h4>
+
+      <p>
+        {% trans 'Scan the QR code below with a token generator of your choice (for instance Google Authenticator).' %}
+      </p>
+
+      <img src="{% url 'two-factor-qr-code' %}" />
+
+      <h4>
+        {% trans 'Step 2' %}:
+      </h4>
+
+      <p>
+        {% trans 'Input a token generated by the app:' %}
+      </p>
+
+      <form method="post">
+        {% csrf_token %}
+        {% bootstrap_form form %}
+        <button class="btn btn-black" type="submit">
+          {% trans 'Verify' %}
+        </button>
+      </form>
+    </div>
+  </div>
+{% endblock %}

src/profiles/templates/profile_base_buttons.html

@@ -4,6 +4,9 @@
     <a href="{% url 'account_change_password' %}" class="btn btn-black">
       Password
     </a>
+    <a href="{% url 'two-factor-setup' %}" class="btn btn-black">
+      Two-Factor settings
+    </a>
     <a href="{% url 'account_email' %}" class="btn btn-black">
       Manage emails
     </a>

src/requirements/production.txt

@@ -10,6 +10,7 @@ asyncio==3.4.3
 bleach==3.1.0
 defusedxml==0.5.0
 django-allauth==0.39.1
+django-allauth-2fa==0.6
 django-bleach==0.5.2
 django-bootstrap3==11.0.0
 django-extensions==2.1.6