├── .github
    ├── dependabot.yml
    └── workflows
    │   └── main.yml
├── .gitignore
├── CHANGES.md
├── LICENSE
├── README.md
├── mfa
    ├── __init__.py
    ├── admin.py
    ├── apps.py
    ├── decorators.py
    ├── forms.py
    ├── locale
    │   ├── de
    │   │   └── LC_MESSAGES
    │   │   │   ├── django.mo
    │   │   │   └── django.po
    │   └── fr
    │   │   └── LC_MESSAGES
    │   │       ├── django.mo
    │   │       └── django.po
    ├── mail.py
    ├── methods
    │   ├── __init__.py
    │   ├── fido2.py
    │   ├── recovery.py
    │   └── totp.py
    ├── middleware.py
    ├── migrations
    │   ├── 0001_initial.py
    │   ├── 0002_mfakey_last_code.py
    │   ├── 0003_alter_mfakey_method.py
    │   ├── 0004_alter_mfakey_id.py
    │   └── __init__.py
    ├── mixins.py
    ├── models.py
    ├── settings.py
    ├── static
    │   └── mfa
    │   │   ├── fido2.js
    │   │   └── vendor
    │   │       └── webauthn-json.browser-ponyfill.js
    ├── templates
    │   └── mfa
    │   │   ├── auth_FIDO2.html
    │   │   ├── auth_TOTP.html
    │   │   ├── auth_recovery.html
    │   │   ├── create_FIDO2.html
    │   │   ├── create_TOTP.html
    │   │   ├── create_recovery.html
    │   │   ├── login_failed_subject.txt
    │   │   ├── mfakey_confirm_delete.html
    │   │   └── mfakey_list.html
    ├── templatetags
    │   ├── __init__.py
    │   └── mfa.py
    ├── urls.py
    └── views.py
├── pyproject.toml
└── tests
    ├── __init__.py
    ├── settings.py
    ├── templates
        ├── mfa
        │   └── login_failed_email.txt
        └── registration
        │   └── login.html
    ├── tests.py
    └── urls.py


/.github/dependabot.yml:
--------------------------------------------------------------------------------
 1 | # To get started with Dependabot version updates, you'll need to specify which
 2 | # package ecosystems to update and where the package manifests are located.
 3 | # Please see the documentation for all configuration options:
 4 | # https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
 5 | 
 6 | version: 2
 7 | updates:
 8 |   - package-ecosystem: "pip"
 9 |     directory: "/"
10 |     schedule:
11 |       interval: "weekly"
12 |     ignore:
13 |       - dependency-name: "qrcode"
14 | 


--------------------------------------------------------------------------------
/.github/workflows/main.yml:
--------------------------------------------------------------------------------
 1 | on: [push]
 2 | jobs:
 3 |   lint:
 4 |     runs-on: ubuntu-latest
 5 |     steps:
 6 |     - uses: actions/checkout@v4
 7 |     - uses: actions/setup-python@v5
 8 |     - run: pip install ruff
 9 |     - name: linters
10 |       run: |
11 |         ruff check mfa tests
12 |   test:
13 |     runs-on: ubuntu-latest
14 |     strategy:
15 |       matrix:
16 |         include:
17 |           - python: '3.10'
18 |             django: '4.2'
19 |           - python: '3.13'
20 |             django: '5.2'
21 |     steps:
22 |     - uses: actions/checkout@v4
23 |     - uses: actions/setup-python@v5
24 |       with:
25 |         python-version: ${{ matrix.python }}
26 |     - run: pip install . coverage tomli "django==${{ matrix.django }}"
27 |     - name: tests
28 |       run: |
29 |         coverage run -m django test --settings tests.settings
30 |         coverage report
31 |   publish:
32 |     needs: [lint, test]
33 |     if: startsWith(github.ref, 'refs/tags')
34 |     runs-on: ubuntu-latest
35 |     permissions:
36 |       id-token: write
37 |     steps:
38 |     - uses: actions/checkout@v4
39 |     - uses: actions/setup-python@v5
40 |     - run: pip install build
41 |     - name: build
42 |       run: python3 -m build
43 |     - name: publish
44 |       uses: pypa/gh-action-pypi-publish@release/v1
45 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .venv
2 | .coverage
3 | *.egg-info
4 | build
5 | dist
6 | __pycache__
7 | htmlcov
8 | 


--------------------------------------------------------------------------------
/CHANGES.md:
--------------------------------------------------------------------------------
  1 | 1.0.0 (2025-05-21)
  2 | ------------------
  3 | 
  4 | -   drop support for python 3.9
  5 | -   drop support for fido2 1.x
  6 | -   cbor-js is no longer required
  7 | -   the new javascript dependency webauthn-json is included in the package
  8 | -   the `<script>` element that loads fido2.js now needs to use `type="module"`
  9 | 
 10 | 
 11 | 0.15.2 (2025-05-21)
 12 | -------------------
 13 | 
 14 | -   remove support for fido2 2.x for now
 15 | -   drop support for Django 3.2
 16 | 
 17 | 
 18 | 0.15.1 (2025-02-05)
 19 | -------------------
 20 | 
 21 | -   fido2: fix json mapping deprecation warning
 22 | -   update french translation
 23 | 
 24 | 
 25 | 0.15.0 (2025-01-20)
 26 | -------------------
 27 | 
 28 | -   Allow to search by username in admin UI
 29 | -   Change label of the name field to "Name for this key" to avoid confusion
 30 | 
 31 | 
 32 | 0.14.0 (2024-12-06)
 33 | -------------------
 34 | 
 35 | -   Use `autocomplete="one-time-code"` on form inputs
 36 | -   Set `Auto-Submitted` header in emails
 37 | -   Align handling of localhost as a secure context with upstream. Notably,
 38 |     this means that `DEBUG` no longer has any effect and that `127.0.0.1` is no
 39 |     longer treated as a secure context.
 40 | -   Drop support for Python 3.8
 41 | 
 42 | 
 43 | 0.13.0 (2024-06-18)
 44 | -------------------
 45 | 
 46 | -   Add suport for `LoginRequiredMiddleware` from django 5.1
 47 | 
 48 | 
 49 | 0.12.1 (2024-03-26)
 50 | -------------------
 51 | 
 52 | -   Fix failed package build
 53 | 
 54 | 
 55 | 0.12.0 (2024-03-26)
 56 | -------------------
 57 | 
 58 | -   Set ID field independent of `DEFAULT_AUTO_FIELD`
 59 | -   Add support for async in `MFAEnforceMiddleware`
 60 | -   Fix: include `login_failed_subject.txt` in package
 61 | -   Add support for django 5.0, drop support for django 4.1
 62 | -   Add support for python 3.12, drop support for python 3.7
 63 | -   Replace setup.py by pyproject.toml
 64 | 
 65 | 
 66 | 0.11.0 (2023-04-14)
 67 | -------------------
 68 | 
 69 | -   Add setting `MFA_FIDO2_USER_VERIFICATION`
 70 | -   Allow to use FIDO2 on localhost without HTTPS if DEBUG is True (thanks to
 71 |     humphrey)
 72 | -   Avoid autocompletion in the code field
 73 | -   Fix minimum supported django version (3.2) in the package
 74 | 
 75 | 
 76 | 0.10.0 (2023-03-19)
 77 | -------------------
 78 | 
 79 | -   Add french translation (thanks to hleroy)
 80 | 
 81 | 
 82 | 0.9.0 (2023-02-27)
 83 | ------------------
 84 | 
 85 | -   Autofocus in auth form
 86 | -   Work around rendering bug in qrcode (see
 87 |     https://github.com/lincolnloop/python-qrcode/issues/317)
 88 | 
 89 | 
 90 | 0.8.0 (2022-12-08)
 91 | ------------------
 92 | 
 93 | -   Add option to send an email on failed login
 94 | 
 95 | 
 96 | 0.7.0 (2022-06-24)
 97 | ------------------
 98 | 
 99 | -   Add new setting `MFA_TOTP_VALID_WINDOW` to compensate for clock drifts
100 |     (thanks to Tobias Bölz)
101 | 
102 | 
103 | 0.6.0 (2022-06-08)
104 | ------------------
105 | 
106 | -   Adapt to fido2 1.0.0
107 | 
108 | 
109 | 0.5.1 (2022-06-08)
110 | ------------------
111 | 
112 | -   Pin fido2 dependency
113 | 
114 | 
115 | 0.5.0 (2022-04-15)
116 | ------------------
117 | 
118 | -   Security fix: The admin login was not adapted, so it could be used to
119 |     bypass MFA. As a fix, django-mfa3 will now automatically patch `AdminSite`
120 |     so the admin login redirects to regular login. (CVE-2022-24857)
121 | -   Drop support for django 2.2
122 | -   Use a more efficient string encoding for FIDO2 messages
123 | 
124 | 
125 | 0.4.0 (2022-01-25)
126 | ------------------
127 | 
128 | -   Drop support for python 3.6, add support for python 3.10
129 | -   Drop support for django 3.1, add support for django 4.0
130 | -   No longer include MFA code in credentials for `user_login_failed`
131 | 
132 | 
133 | 0.3.0 (2021-08-25)
134 | ------------------
135 | 
136 | -   Add recovery codes. Check the example templates for references to
137 |     "recovery" to see what needs to be changed.
138 | -   Add new setting `MFA_METHODS` to change the set of enabled methods.
139 | 
140 | 
141 | 0.2.5 (2021-07-18)
142 | ------------------
143 | 
144 | -   Fix usage with custom User models that use a different username field
145 |     (thanks to Ashok Argent-Katwala)
146 | 
147 | 
148 | 0.2.4 (2021-07-07)
149 | ------------------
150 | 
151 | -   Security fix: Do not allow users to see the names of/delete other user's
152 |     keys (secrets were not leaked)
153 | 
154 | 
155 | 0.2.3 (2021-07-05)
156 | ------------------
157 | 
158 | -   Fix packaging: include .mo files
159 | 
160 | 
161 | 0.2.2 (2021-07-05)
162 | ------------------
163 | 
164 | -   Fix packaging: include templatetags
165 | 
166 | 
167 | 0.2.1 (2021-07-02)
168 | ------------------
169 | 
170 | -   Fix packaging: exclude tests
171 | 
172 | 
173 | 0.2.0 (2021-07-02)
174 | ------------------
175 | 
176 | -   Convert qrcode to template filter. In templates, change
177 |     `{{ mfa_data.qrcode|safe }}` to `{% load mfa %} {{ mfa_data.url|qrcode }}`.
178 | -   Fix form validation on missing code
179 | -   Add german translation
180 | -   Use `never_cache` and `sensitive_post_parameters` decorators
181 | -   Do not generate a new challenge on validation errors
182 | 
183 | 
184 | 0.1.0 (2021-06-29)
185 | ------------------
186 | 
187 | -   Trigger `user_login_failed` on failed second factor. This can be used to
188 |     integrating with external rate limiting solutions such as django-axes.
189 | -   Fix: include JS files in python package
190 | -   Render qrcode server-side
191 | -   Convenience: redirect to TOTP auth if no FIDO2 key exists
192 | -   Add optional `MFAEnforceMiddleware`
193 | -   Tweak admin UI
194 | -   Tweak example templates
195 | 
196 | 
197 | 0.0.0 (2021-06-21)
198 | ------------------
199 | 
200 | initial release
201 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Tobias Bengfort
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # django-mfa3
  2 | 
  3 | An opinionated Django app that handles multi factor authentication (MFA) via
  4 | FIDO2, TOTP, and recovery codes.
  5 | 
  6 | ## Features
  7 | 
  8 | -   Two factor authentication is required on login (if the user has registered a key)
  9 | -   Stuff just works without much configuration
 10 | -   The UI allows to add new keys and to remove keys that have been compromised
 11 | -   You can optionally enforce MFA for all users
 12 | -   You can (and should) customize the templates
 13 | -   Simple code, few dependencies
 14 | 
 15 | ## Installation
 16 | 
 17 | ```
 18 | pip install django-mfa3
 19 | ```
 20 | 
 21 | ## Usage
 22 | 
 23 | 1.  Add `'mfa'` to `INSTALLED_APPS`
 24 | 2.  Use `mfa.views.LoginView` instead of the regular login view. (Be sure to
 25 |     remove any other login routes, otherwise the multi factor authentication
 26 |     can be circumvented. The admin login will automatically be patched to
 27 |     redirect to the regular login.)
 28 | 3.  Set `MFA_DOMAIN = 'example.com'` and `MFA_SITE_TITLE = 'My site'`. See
 29 |     `settings.py` for a full list of settings.
 30 | 4.  Register URLs: `path('mfa/', include('mfa.urls', namespace='mfa')`
 31 | 5.  The included templates are just examples, so you should [replace them](https://docs.djangoproject.com/en/stable/howto/overriding-templates/) with your own
 32 | 6.  FIDO2 requires client side code. You can either implement it yourself or use the included fido2.js.
 33 | 7.  Somewhere in your app, add a link to `'mfa:list'`
 34 | 
 35 | ## Enforce MFA
 36 | 
 37 | Optionally, you can add `'mfa.middleware.MFAEnforceMiddleware'` to `MIDDLEWARE`
 38 | (after `AuthenticationMiddleware`!). It will force users to setup two factor
 39 | authentication by redirecting all authenticated requests to `'mfa:list'` as
 40 | long as the user has no MFAKeys. You can use `mfa.decorators.public` to add
 41 | exceptions.
 42 | 
 43 | ## Send email on failed login attempt
 44 | 
 45 | If someone failes to login on the second factor that might indicate that the
 46 | first factor (password) has been compromised. django-mfa3 will automatically
 47 | send a warning to affected users under the following conditions:
 48 | 
 49 | -   Django needs to be [configured for sending email](https://docs.djangoproject.com/en/4.1/topics/email/)
 50 | -   There must be an email address associated with the user account
 51 | -   You need to provide some templates
 52 |     -   `mfa/login_failed_subject.txt`: optional, a default is included
 53 |     -   `mfa/login_failed_email.txt`: required, an example is included in the
 54 |         [tests](https://github.com/xi/django-mfa3/blob/main/tests/templates/mfa/login_failed_email.txt)
 55 |     -   `mfa/login_failed_email.html`: optional
 56 | 
 57 | All templates have access to the following context data: `email`, `domain`,
 58 | `site_name`, `user`, `method`.
 59 | 
 60 | ## Status
 61 | 
 62 | I am not sure whether I will be able to maintain this library long-term. If you
 63 | would like to help or even take ownership of this project, please contact me!
 64 | 
 65 | ## Related projects
 66 | 
 67 | django-mfa3 is based on [pyotp](https://github.com/pyauth/pyotp) and
 68 | [python-fido2](https://github.com/Yubico/python-fido2).
 69 | 
 70 | It is inspired by but not otherwise affiliated with
 71 | [django-mfa2](https://github.com/mkalioby/django-mfa2).
 72 | A big difference between the two projects is that django-mfa2 supports many
 73 | methods, while django-mfa3 only supports FIDO2 and TOTP. U2F was dropped
 74 | because it is now superseded by FIDO2. Email and Trusted Devices were dropped
 75 | because I felt like they have inferior security properties compared to FIDO2
 76 | and TOTP.
 77 | 
 78 | Another major inspiration is
 79 | [django-otp](https://github.com/django-otp/django-otp). It is probably the most
 80 | mature library when it comes to two factor authentication in django. However,
 81 | its [basic structure is not compatible with
 82 | FIDO2](https://github.com/django-otp/django-otp/issues/40).
 83 | 
 84 | It is recommended to use django-mfa3 with
 85 | [django-axes](https://github.com/jazzband/django-axes) for rate limiting. It is
 86 | also compatible with
 87 | [django-stronghold](https://github.com/mgrouchy/django-stronghold/).
 88 | 
 89 | ## Security considerations
 90 | 
 91 | The actual cryptography is handled by pyotp and python-fido2. This library only
 92 | provides the glue code for django. Still, there could be issues in the glue.
 93 | 
 94 | A notable attack surface is server state: The authentication consists of three
 95 | separate HTTP requests: The regular login, fetching a challenge, and a
 96 | response. The server keeps some state in the session across these requests. For
 97 | example, the user is temporarily stored in the session until the second factor
 98 | authentication is done. The logic for handling this state is not as straight
 99 | forward as I would like and there might be issues hidden in there.
100 | 
101 | Please also be careful when implementing and using this library in your project
102 | to prevent higher level security or usability issues. Please refer to other
103 | guidelines like the
104 | [OWASP Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html)
105 | for more informaton on that topic.
106 | 


--------------------------------------------------------------------------------
/mfa/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xi/django-mfa3/0ef97ebe4f3926550ae83dedf9305f7c62d68c33/mfa/__init__.py


--------------------------------------------------------------------------------
/mfa/admin.py:
--------------------------------------------------------------------------------
 1 | from django.contrib import admin
 2 | from django.contrib.auth import REDIRECT_FIELD_NAME
 3 | from django.contrib.auth.views import redirect_to_login
 4 | from django.urls import reverse
 5 | 
 6 | from .decorators import login_not_required
 7 | from .models import MFAKey
 8 | 
 9 | 
10 | @login_not_required
11 | def custom_login(self, request, extra_context=None):
12 |     next_url = (
13 |         request.GET.get(REDIRECT_FIELD_NAME)
14 |         or request.POST.get(REDIRECT_FIELD_NAME)
15 |         or reverse('admin:index')
16 |     )
17 |     return redirect_to_login(next_url)
18 | 
19 | 
20 | def patch_admin():
21 |     setattr(admin.AdminSite, 'login', custom_login)
22 | 
23 | 
24 | @admin.register(MFAKey)
25 | class MFAKeyAdmin(admin.ModelAdmin):
26 |     list_display = ['user', 'method', 'name']
27 |     search_fields = ['user__username', 'name']
28 |     list_filter = ['method']
29 | 


--------------------------------------------------------------------------------
/mfa/apps.py:
--------------------------------------------------------------------------------
 1 | from django.apps import AppConfig
 2 | 
 3 | 
 4 | class TwoFactorConfig(AppConfig):
 5 |     name = 'mfa'
 6 |     verbose_name = 'Multi Factor Authentication'
 7 | 
 8 |     def ready(self):
 9 |         from .admin import patch_admin
10 |         patch_admin()
11 | 


--------------------------------------------------------------------------------
/mfa/decorators.py:
--------------------------------------------------------------------------------
 1 | try:
 2 |     from stronghold.decorators import public as stronghold_login_not_required
 3 | except ImportError:
 4 |     def stronghold_login_not_required(view_func):
 5 |         return view_func
 6 | 
 7 | try:
 8 |     from django.contrib.auth.decorators import login_not_required
 9 | except ImportError:
10 |     def login_not_required(view_func):
11 |         return view_func
12 | 
13 | 
14 | def public(view_func):
15 |     view_func.mfa_public = True
16 |     return view_func
17 | 


--------------------------------------------------------------------------------
/mfa/forms.py:
--------------------------------------------------------------------------------
 1 | from django import forms
 2 | from django.utils.translation import gettext_lazy as _
 3 | 
 4 | 
 5 | class MFABaseForm(forms.Form):
 6 |     code = forms.CharField(label=_('Authentication code'))
 7 | 
 8 |     def __init__(self, validate_code=None, **kwargs):
 9 |         self.validate_code = validate_code
10 |         super().__init__(**kwargs)
11 |         self.fields['code'].widget.attrs.update({'autocomplete': 'one-time-code'})
12 | 
13 |     def clean(self):
14 |         cleaned_data = super().clean()
15 |         code = cleaned_data.get('code')
16 |         if code:
17 |             try:
18 |                 cleaned_data['secret'] = self.validate_code(code)
19 |             except ValueError as e:
20 |                 raise forms.ValidationError(_('Validation failed')) from e
21 |         return cleaned_data
22 | 
23 | 
24 | class MFAAuthForm(MFABaseForm):
25 |     def __init__(self, **kwargs):
26 |         super().__init__(**kwargs)
27 |         self.fields['code'].widget.attrs.update({'autofocus': True})
28 | 
29 | 
30 | class MFACreateForm(MFABaseForm):
31 |     name = forms.CharField(label=_('Name for this key'), max_length=32)
32 | 


--------------------------------------------------------------------------------
/mfa/locale/de/LC_MESSAGES/django.mo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xi/django-mfa3/0ef97ebe4f3926550ae83dedf9305f7c62d68c33/mfa/locale/de/LC_MESSAGES/django.mo


--------------------------------------------------------------------------------
/mfa/locale/de/LC_MESSAGES/django.po:
--------------------------------------------------------------------------------
 1 | msgid ""
 2 | msgstr ""
 3 | "MIME-Version: 1.0\n"
 4 | "Content-Type: text/plain; charset=UTF-8\n"
 5 | "Content-Transfer-Encoding: 8bit\n"
 6 | "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 7 | 
 8 | msgid "Authentication code"
 9 | msgstr "Authentifizierungscode"
10 | 
11 | msgid "Validation failed"
12 | msgstr "Validierung fehlgeschlagen"
13 | 
14 | msgid "Name for this key"
15 | msgstr "Name für diesen Schlüssel"
16 | 
17 | msgid "Key was created successfully!"
18 | msgstr "Schlüssel wurde erfolgreich erstellt!"
19 | 


--------------------------------------------------------------------------------
/mfa/locale/fr/LC_MESSAGES/django.mo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xi/django-mfa3/0ef97ebe4f3926550ae83dedf9305f7c62d68c33/mfa/locale/fr/LC_MESSAGES/django.mo


--------------------------------------------------------------------------------
/mfa/locale/fr/LC_MESSAGES/django.po:
--------------------------------------------------------------------------------
 1 | msgid ""
 2 | msgstr ""
 3 | "Report-Msgid-Bugs-To: \n"
 4 | "POT-Creation-Date: 2023-03-19 18:47+0100\n"
 5 | "MIME-Version: 1.0\n"
 6 | "Content-Type: text/plain; charset=UTF-8\n"
 7 | "Content-Transfer-Encoding: 8bit\n"
 8 | "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 9 | 
10 | msgid "Authentication code"
11 | msgstr "Code d'authentification"
12 | 
13 | msgid "Validation failed"
14 | msgstr "Echec de la validation"
15 | 
16 | msgid "Name for this key"
17 | msgstr "Nom de cette clé"
18 | 
19 | #, python-format
20 | msgid ""
21 | "Attempted login to %(site_name)s using a wrong two-factor authentication code"
22 | msgstr ""
23 | "Tentative de connexion à %(site_name)s avec un code double-facteur incorrect"
24 | 
25 | msgid "Key was created successfully!"
26 | msgstr "La clé a bien été créé !"
27 | 


--------------------------------------------------------------------------------
/mfa/mail.py:
--------------------------------------------------------------------------------
 1 | from django.core.mail import EmailMultiAlternatives
 2 | from django.template import TemplateDoesNotExist
 3 | from django.template import loader
 4 | 
 5 | from . import settings
 6 | 
 7 | SUBJECT_TEMPLATE = 'mfa/login_failed_subject.txt'
 8 | BODY_TEMPLATE = 'mfa/login_failed_email.txt'
 9 | HTML_TEMPLATE = 'mfa/login_failed_email.html'
10 | 
11 | 
12 | def send_mail(user, method):
13 |     email_field_name = user.get_email_field_name()
14 |     user_email = getattr(user, email_field_name)
15 |     if not user_email:
16 |         return 0
17 | 
18 |     context = {
19 |         'email': user_email,
20 |         'domain': settings.DOMAIN,
21 |         'site_name': settings.SITE_TITLE,
22 |         'user': user,
23 |         'method': method.name,
24 |     }
25 | 
26 |     try:
27 |         subject = loader.render_to_string(SUBJECT_TEMPLATE, context)
28 |         subject = ' '.join(subject.splitlines()).strip()
29 |         body = loader.render_to_string(BODY_TEMPLATE, context)
30 |     except TemplateDoesNotExist:
31 |         return 0
32 | 
33 |     message = EmailMultiAlternatives(
34 |         subject,
35 |         body,
36 |         to=[user_email],
37 |         headers={'Auto-Submitted': 'auto-generated'},
38 |     )
39 | 
40 |     try:
41 |         html_body = loader.render_to_string(HTML_TEMPLATE, context)
42 |         message.attach_alternative(html_body, 'text/html')
43 |     except TemplateDoesNotExist:
44 |         pass
45 | 
46 |     return message.send()
47 | 


--------------------------------------------------------------------------------
/mfa/methods/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xi/django-mfa3/0ef97ebe4f3926550ae83dedf9305f7c62d68c33/mfa/methods/__init__.py


--------------------------------------------------------------------------------
/mfa/methods/fido2.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | 
 3 | from fido2.server import Fido2Server
 4 | from fido2.utils import websafe_decode
 5 | from fido2.utils import websafe_encode
 6 | from fido2.webauthn import AttestedCredentialData
 7 | from fido2.webauthn import PublicKeyCredentialRpEntity
 8 | from fido2.webauthn import PublicKeyCredentialUserEntity
 9 | 
10 | from .. import settings
11 | 
12 | name = 'FIDO2'
13 | 
14 | fido2 = Fido2Server(
15 |     PublicKeyCredentialRpEntity(id=settings.DOMAIN, name=settings.SITE_TITLE),
16 | )
17 | 
18 | 
19 | def get_credentials(user):
20 |     keys = user.mfakey_set.filter(method=name)
21 |     return [AttestedCredentialData(websafe_decode(key.secret)) for key in keys]
22 | 
23 | 
24 | def register_begin(user):
25 |     registration_data, state = fido2.register_begin(
26 |         PublicKeyCredentialUserEntity(
27 |             id=str(user.id).encode('utf-8'),
28 |             name=user.get_username(),
29 |             display_name=user.get_full_name(),
30 |         ),
31 |         get_credentials(user),
32 |         user_verification=settings.FIDO2_USER_VERIFICATION,
33 |     )
34 |     return json.dumps(dict(registration_data)), state
35 | 
36 | 
37 | def register_complete(state, request_data):
38 |     auth_data = fido2.register_complete(state, json.loads(request_data))
39 |     return websafe_encode(auth_data.credential_data)
40 | 
41 | 
42 | def authenticate_begin(user):
43 |     credentials = get_credentials(user)
44 |     auth_data, state = fido2.authenticate_begin(
45 |         credentials,
46 |         user_verification=settings.FIDO2_USER_VERIFICATION,
47 |     )
48 |     return json.dumps(dict(auth_data)), state
49 | 
50 | 
51 | def authenticate_complete(state, user, request_data):
52 |     fido2.authenticate_complete(
53 |         state,
54 |         get_credentials(user),
55 |         json.loads(request_data),
56 |     )
57 | 


--------------------------------------------------------------------------------
/mfa/methods/recovery.py:
--------------------------------------------------------------------------------
 1 | import pyotp
 2 | from django.contrib.auth.hashers import check_password
 3 | from django.contrib.auth.hashers import make_password
 4 | 
 5 | name = 'recovery'
 6 | 
 7 | 
 8 | def register_begin(user):
 9 |     secret = pyotp.random_base32()
10 |     totp = pyotp.TOTP(secret, digits=10)
11 |     code = totp.now()
12 |     code = f'{code[:5]}-{code[5:]}'
13 |     state = make_password(code)
14 |     return {'code': code}, state
15 | 
16 | 
17 | def register_complete(state, request_data):
18 |     if not check_password(request_data, state):
19 |         raise ValueError
20 |     return state
21 | 
22 | 
23 | def authenticate_begin(user):
24 |     return None, None
25 | 
26 | 
27 | def authenticate_complete(state, user, request_data):
28 |     keys = user.mfakey_set.filter(method=name)
29 |     for key in keys:
30 |         if check_password(request_data, key.secret):
31 |             key.delete()
32 |             return
33 |     raise ValueError
34 | 


--------------------------------------------------------------------------------
/mfa/methods/totp.py:
--------------------------------------------------------------------------------
 1 | import pyotp
 2 | 
 3 | from .. import settings
 4 | 
 5 | name = 'TOTP'
 6 | 
 7 | 
 8 | def register_begin(user):
 9 |     secret = pyotp.random_base32()
10 |     totp = pyotp.TOTP(secret)
11 |     url = totp.provisioning_uri(
12 |         user.get_username(),
13 |         issuer_name=settings.SITE_TITLE,
14 |     )
15 |     return {'url': url, 'secret': secret}, secret
16 | 
17 | 
18 | def register_complete(state, request_data):
19 |     totp = pyotp.TOTP(state)
20 |     if not totp.verify(request_data):
21 |         raise ValueError
22 |     return state
23 | 
24 | 
25 | def authenticate_begin(user):
26 |     return None, None
27 | 
28 | 
29 | def authenticate_complete(state, user, request_data):
30 |     keys = user.mfakey_set.filter(method=name)
31 |     for key in keys:
32 |         totp = pyotp.TOTP(key.secret)
33 |         if (totp.verify(request_data, valid_window=settings.TOTP_VALID_WINDOW)
34 |                 and request_data != key.last_code):
35 |             key.last_code = request_data
36 |             key.save()
37 |             return
38 |     raise ValueError
39 | 


--------------------------------------------------------------------------------
/mfa/middleware.py:
--------------------------------------------------------------------------------
 1 | from django.shortcuts import redirect
 2 | from django.utils.deprecation import MiddlewareMixin
 3 | 
 4 | 
 5 | class MFAEnforceMiddleware(MiddlewareMixin):
 6 |     def process_view(self, request, view_func, view_args, view_kwargs):
 7 |         if (
 8 |             not getattr(view_func, 'mfa_public', False)
 9 |             and request.user.is_authenticated
10 |             and not request.user.mfakey_set.exists()
11 |         ):
12 |             return redirect('mfa:list')
13 | 


--------------------------------------------------------------------------------
/mfa/migrations/0001_initial.py:
--------------------------------------------------------------------------------
 1 | # Generated by Django 3.2.4 on 2021-06-20 12:32
 2 | 
 3 | from django.conf import settings
 4 | from django.db import migrations, models
 5 | import django.db.models.deletion
 6 | 
 7 | 
 8 | class Migration(migrations.Migration):
 9 | 
10 |     initial = True
11 | 
12 |     dependencies = [
13 |         migrations.swappable_dependency(settings.AUTH_USER_MODEL),
14 |     ]
15 | 
16 |     operations = [
17 |         migrations.CreateModel(
18 |             name='MFAKey',
19 |             fields=[
20 |                 ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
21 |                 ('method', models.CharField(choices=[('FIDO2', 'FIDO2'), ('TOTP', 'TOTP')], max_length=8)),
22 |                 ('name', models.CharField(max_length=32)),
23 |                 ('secret', models.TextField()),
24 |                 ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
25 |             ],
26 |         ),
27 |     ]
28 | 


--------------------------------------------------------------------------------
/mfa/migrations/0002_mfakey_last_code.py:
--------------------------------------------------------------------------------
 1 | # Generated by Django 3.2.4 on 2021-06-20 22:32
 2 | 
 3 | from django.db import migrations, models
 4 | 
 5 | 
 6 | class Migration(migrations.Migration):
 7 | 
 8 |     dependencies = [
 9 |         ('mfa', '0001_initial'),
10 |     ]
11 | 
12 |     operations = [
13 |         migrations.AddField(
14 |             model_name='mfakey',
15 |             name='last_code',
16 |             field=models.CharField(blank=True, max_length=32),
17 |         ),
18 |     ]
19 | 


--------------------------------------------------------------------------------
/mfa/migrations/0003_alter_mfakey_method.py:
--------------------------------------------------------------------------------
 1 | # Generated by Django 3.2.4 on 2021-07-31 06:59
 2 | 
 3 | from django.db import migrations, models
 4 | 
 5 | 
 6 | class Migration(migrations.Migration):
 7 | 
 8 |     dependencies = [
 9 |         ('mfa', '0002_mfakey_last_code'),
10 |     ]
11 | 
12 |     operations = [
13 |         migrations.AlterField(
14 |             model_name='mfakey',
15 |             name='method',
16 |             field=models.CharField(choices=[('FIDO2', 'FIDO2'), ('TOTP', 'TOTP'), ('recovery', 'recovery')], max_length=8),
17 |         ),
18 |     ]
19 | 


--------------------------------------------------------------------------------
/mfa/migrations/0004_alter_mfakey_id.py:
--------------------------------------------------------------------------------
 1 | from django.db import migrations, models
 2 | 
 3 | 
 4 | class Migration(migrations.Migration):
 5 |     dependencies = [
 6 |         ("mfa", "0003_alter_mfakey_method"),
 7 |     ]
 8 | 
 9 |     operations = [
10 |         migrations.AlterField(
11 |             model_name="mfakey",
12 |             name="id",
13 |             field=models.BigAutoField(
14 |                 primary_key=True, serialize=False, verbose_name="ID"
15 |             ),
16 |         ),
17 |     ]
18 | 


--------------------------------------------------------------------------------
/mfa/migrations/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xi/django-mfa3/0ef97ebe4f3926550ae83dedf9305f7c62d68c33/mfa/migrations/__init__.py


--------------------------------------------------------------------------------
/mfa/mixins.py:
--------------------------------------------------------------------------------
 1 | from django.http import Http404
 2 | from django.utils.decorators import method_decorator
 3 | from django.views.decorators.cache import never_cache
 4 | from django.views.decorators.debug import sensitive_post_parameters
 5 | from django.views.generic import FormView
 6 | 
 7 | from . import settings
 8 | from .methods import fido2
 9 | from .methods import recovery
10 | from .methods import totp
11 | 
12 | 
13 | class MFAFormView(FormView):
14 |     @property
15 |     def method(self):
16 |         if self.kwargs['method'] in settings.METHODS:
17 |             if self.kwargs['method'] == 'FIDO2':
18 |                 return fido2
19 |             elif self.kwargs['method'] == 'TOTP':
20 |                 return totp
21 |             elif self.kwargs['method'] == 'recovery':
22 |                 return recovery
23 |         raise Http404
24 | 
25 |     @property
26 |     def challenge(self):
27 |         try:
28 |             return self.request.session['mfa_challenge']
29 |         except KeyError as e:
30 |             raise Http404 from e
31 | 
32 |     def begin(self):
33 |         raise NotImplementedError  # pragma: no cover
34 | 
35 |     def complete(self, code):
36 |         raise NotImplementedError  # pragma: no cover
37 | 
38 |     @method_decorator(sensitive_post_parameters())
39 |     @method_decorator(never_cache)
40 |     def dispatch(self, *args, **kwargs):
41 |         return super().dispatch(*args, **kwargs)
42 | 
43 |     def get_context_data(self, **kwargs):
44 |         context = super().get_context_data(**kwargs)
45 |         if 'mfa_data' not in context:
46 |             data, state = self.begin()
47 |             self.request.session['mfa_challenge'] = (data, state)
48 |             context['mfa_data'] = data
49 |         return context
50 | 
51 |     def get_form_kwargs(self):
52 |         kwargs = super().get_form_kwargs()
53 |         kwargs['validate_code'] = self.complete
54 |         return kwargs
55 | 
56 |     def form_invalid(self, form):
57 |         # do not generate a new challenge
58 |         return self.render_to_response(self.get_context_data(
59 |             form=form, mfa_data=self.challenge[0]
60 |         ))
61 | 
62 |     def form_valid(self, form):
63 |         del self.request.session['mfa_challenge']
64 |         return super().form_valid(form)
65 | 


--------------------------------------------------------------------------------
/mfa/models.py:
--------------------------------------------------------------------------------
 1 | from django.conf import settings
 2 | from django.db import models
 3 | 
 4 | 
 5 | class MFAKey(models.Model):
 6 |     id = models.BigAutoField(primary_key=True, serialize=False, verbose_name='ID')
 7 |     user = models.ForeignKey(
 8 |         settings.AUTH_USER_MODEL, on_delete=models.CASCADE
 9 |     )
10 |     method = models.CharField(max_length=8, choices=[
11 |         ('FIDO2', 'FIDO2'),
12 |         ('TOTP', 'TOTP'),
13 |         ('recovery', 'recovery'),
14 |     ])
15 |     name = models.CharField(max_length=32)
16 |     secret = models.TextField()
17 |     # replay protection
18 |     last_code = models.CharField(max_length=32, blank=True)
19 | 


--------------------------------------------------------------------------------
/mfa/settings.py:
--------------------------------------------------------------------------------
 1 | from django.conf import settings
 2 | 
 3 | # The actual domain (e.g. "example.com") that this is hosted on
 4 | # FIDO2 will fail if this is not set correctly
 5 | DOMAIN = settings.MFA_DOMAIN
 6 | 
 7 | # Site title that is shown in authenticator apps
 8 | SITE_TITLE = settings.MFA_SITE_TITLE
 9 | 
10 | # Available authentication methods in order of relevance
11 | METHODS = getattr(settings, 'MFA_METHODS', ['FIDO2', 'TOTP', 'recovery'])
12 | 
13 | # `valid_window` parameter passed to PyOTP's verify method
14 | # See https://pyauth.github.io/pyotp/#pyotp.totp.TOTP.verify
15 | TOTP_VALID_WINDOW = getattr(settings, 'MFA_TOTP_VALID_WINDOW', 0)
16 | 
17 | # `user_verification` parameter passed to python-fido2
18 | # See https://www.w3.org/TR/webauthn/#enum-userVerificationRequirement
19 | FIDO2_USER_VERIFICATION = getattr(settings, 'MFA_FIDO2_USER_VERIFICATION', None)
20 | 


--------------------------------------------------------------------------------
/mfa/static/mfa/fido2.js:
--------------------------------------------------------------------------------
 1 | import * as webauthnJSON from './vendor/webauthn-json.browser-ponyfill.js';
 2 | 
 3 | var initCreate = function() {
 4 |     var form = document.querySelector('form[data-fido2-create]');
 5 |     if (form) {
 6 |         var options = webauthnJSON.parseCreationOptionsFromJSON(
 7 |             JSON.parse(form.dataset.fido2Create)
 8 |         );
 9 |         form.addEventListener('submit', function(event) {
10 |             event.preventDefault();
11 | 
12 |             webauthnJSON.create(options).then(attestation => {
13 |                 this.code.value = JSON.stringify(attestation);
14 |                 form.submit();
15 |             }).catch(alert);
16 |         });
17 |     }
18 | };
19 | 
20 | var initAuth = function() {
21 |     var form = document.querySelector('form[data-fido2-auth]');
22 |     if (form) {
23 |         var options = webauthnJSON.parseRequestOptionsFromJSON(
24 |             JSON.parse(form.dataset.fido2Auth)
25 |         );
26 |         form.addEventListener('submit', function(event) {
27 |             event.preventDefault();
28 | 
29 |             webauthnJSON.get(options).then(assertion => {
30 |                 this.code.value = JSON.stringify(assertion);
31 |                 form.submit();
32 |             }).catch(alert);
33 |         });
34 |     }
35 | };
36 | 
37 | initCreate();
38 | initAuth();
39 | 


--------------------------------------------------------------------------------
/mfa/static/mfa/vendor/webauthn-json.browser-ponyfill.js:
--------------------------------------------------------------------------------
  1 | /*!
  2 |  * @github/webauthn-json 2.1.1
  3 |  * Copyright (c) 2019 GitHub, Inc.
  4 |  *
  5 |  * Permission is hereby granted, free of charge, to any person obtaining a copy
  6 |  * of this software and associated documentation files (the "Software"), to
  7 |  * deal in the Software without restriction, including without limitation the
  8 |  * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
  9 |  * sell copies of the Software, and to permit persons to whom the Software is
 10 |  * furnished to do so, subject to the following conditions:
 11 |  *
 12 |  * The above copyright notice and this permission notice shall be included in
 13 |  * all copies or substantial portions of the Software.
 14 |  *
 15 |  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 16 |  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 17 |  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 18 |  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 19 |  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 20 |  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
 21 |  * IN THE SOFTWARE.
 22 |  */
 23 | 
 24 | // src/webauthn-json/base64url.ts
 25 | function base64urlToBuffer(baseurl64String) {
 26 |   const padding = "==".slice(0, (4 - baseurl64String.length % 4) % 4);
 27 |   const base64String = baseurl64String.replace(/-/g, "+").replace(/_/g, "/") + padding;
 28 |   const str = atob(base64String);
 29 |   const buffer = new ArrayBuffer(str.length);
 30 |   const byteView = new Uint8Array(buffer);
 31 |   for (let i = 0; i < str.length; i++) {
 32 |     byteView[i] = str.charCodeAt(i);
 33 |   }
 34 |   return buffer;
 35 | }
 36 | function bufferToBase64url(buffer) {
 37 |   const byteView = new Uint8Array(buffer);
 38 |   let str = "";
 39 |   for (const charCode of byteView) {
 40 |     str += String.fromCharCode(charCode);
 41 |   }
 42 |   const base64String = btoa(str);
 43 |   const base64urlString = base64String.replace(/\+/g, "-").replace(
 44 |     /\//g,
 45 |     "_"
 46 |   ).replace(/=/g, "");
 47 |   return base64urlString;
 48 | }
 49 | 
 50 | // src/webauthn-json/convert.ts
 51 | var copyValue = "copy";
 52 | var convertValue = "convert";
 53 | function convert(conversionFn, schema, input) {
 54 |   if (schema === copyValue) {
 55 |     return input;
 56 |   }
 57 |   if (schema === convertValue) {
 58 |     return conversionFn(input);
 59 |   }
 60 |   if (schema instanceof Array) {
 61 |     return input.map((v) => convert(conversionFn, schema[0], v));
 62 |   }
 63 |   if (schema instanceof Object) {
 64 |     const output = {};
 65 |     for (const [key, schemaField] of Object.entries(schema)) {
 66 |       if (schemaField.derive) {
 67 |         const v = schemaField.derive(input);
 68 |         if (v !== void 0) {
 69 |           input[key] = v;
 70 |         }
 71 |       }
 72 |       if (!(key in input)) {
 73 |         if (schemaField.required) {
 74 |           throw new Error(`Missing key: ${key}`);
 75 |         }
 76 |         continue;
 77 |       }
 78 |       if (input[key] == null) {
 79 |         output[key] = null;
 80 |         continue;
 81 |       }
 82 |       output[key] = convert(
 83 |         conversionFn,
 84 |         schemaField.schema,
 85 |         input[key]
 86 |       );
 87 |     }
 88 |     return output;
 89 |   }
 90 | }
 91 | function derived(schema, derive) {
 92 |   return {
 93 |     required: true,
 94 |     schema,
 95 |     derive
 96 |   };
 97 | }
 98 | function required(schema) {
 99 |   return {
100 |     required: true,
101 |     schema
102 |   };
103 | }
104 | function optional(schema) {
105 |   return {
106 |     required: false,
107 |     schema
108 |   };
109 | }
110 | 
111 | // src/webauthn-json/basic/schema.ts
112 | var publicKeyCredentialDescriptorSchema = {
113 |   type: required(copyValue),
114 |   id: required(convertValue),
115 |   transports: optional(copyValue)
116 | };
117 | var simplifiedExtensionsSchema = {
118 |   appid: optional(copyValue),
119 |   appidExclude: optional(copyValue),
120 |   credProps: optional(copyValue)
121 | };
122 | var simplifiedClientExtensionResultsSchema = {
123 |   appid: optional(copyValue),
124 |   appidExclude: optional(copyValue),
125 |   credProps: optional(copyValue)
126 | };
127 | var credentialCreationOptions = {
128 |   publicKey: required({
129 |     rp: required(copyValue),
130 |     user: required({
131 |       id: required(convertValue),
132 |       name: required(copyValue),
133 |       displayName: required(copyValue)
134 |     }),
135 |     challenge: required(convertValue),
136 |     pubKeyCredParams: required(copyValue),
137 |     timeout: optional(copyValue),
138 |     excludeCredentials: optional([publicKeyCredentialDescriptorSchema]),
139 |     authenticatorSelection: optional(copyValue),
140 |     attestation: optional(copyValue),
141 |     extensions: optional(simplifiedExtensionsSchema)
142 |   }),
143 |   signal: optional(copyValue)
144 | };
145 | var publicKeyCredentialWithAttestation = {
146 |   type: required(copyValue),
147 |   id: required(copyValue),
148 |   rawId: required(convertValue),
149 |   authenticatorAttachment: optional(copyValue),
150 |   response: required({
151 |     clientDataJSON: required(convertValue),
152 |     attestationObject: required(convertValue),
153 |     transports: derived(
154 |       copyValue,
155 |       (response) => {
156 |         var _a;
157 |         return ((_a = response.getTransports) == null ? void 0 : _a.call(response)) || [];
158 |       }
159 |     )
160 |   }),
161 |   clientExtensionResults: derived(
162 |     simplifiedClientExtensionResultsSchema,
163 |     (pkc) => pkc.getClientExtensionResults()
164 |   )
165 | };
166 | var credentialRequestOptions = {
167 |   mediation: optional(copyValue),
168 |   publicKey: required({
169 |     challenge: required(convertValue),
170 |     timeout: optional(copyValue),
171 |     rpId: optional(copyValue),
172 |     allowCredentials: optional([publicKeyCredentialDescriptorSchema]),
173 |     userVerification: optional(copyValue),
174 |     extensions: optional(simplifiedExtensionsSchema)
175 |   }),
176 |   signal: optional(copyValue)
177 | };
178 | var publicKeyCredentialWithAssertion = {
179 |   type: required(copyValue),
180 |   id: required(copyValue),
181 |   rawId: required(convertValue),
182 |   authenticatorAttachment: optional(copyValue),
183 |   response: required({
184 |     clientDataJSON: required(convertValue),
185 |     authenticatorData: required(convertValue),
186 |     signature: required(convertValue),
187 |     userHandle: required(convertValue)
188 |   }),
189 |   clientExtensionResults: derived(
190 |     simplifiedClientExtensionResultsSchema,
191 |     (pkc) => pkc.getClientExtensionResults()
192 |   )
193 | };
194 | 
195 | // src/webauthn-json/basic/api.ts
196 | function createRequestFromJSON(requestJSON) {
197 |   return convert(base64urlToBuffer, credentialCreationOptions, requestJSON);
198 | }
199 | function createResponseToJSON(credential) {
200 |   return convert(
201 |     bufferToBase64url,
202 |     publicKeyCredentialWithAttestation,
203 |     credential
204 |   );
205 | }
206 | function getRequestFromJSON(requestJSON) {
207 |   return convert(base64urlToBuffer, credentialRequestOptions, requestJSON);
208 | }
209 | function getResponseToJSON(credential) {
210 |   return convert(
211 |     bufferToBase64url,
212 |     publicKeyCredentialWithAssertion,
213 |     credential
214 |   );
215 | }
216 | 
217 | // src/webauthn-json/basic/supported.ts
218 | function supported() {
219 |   return !!(navigator.credentials && navigator.credentials.create && navigator.credentials.get && window.PublicKeyCredential);
220 | }
221 | 
222 | // src/webauthn-json/browser-ponyfill.ts
223 | async function create(options) {
224 |   const response = await navigator.credentials.create(
225 |     options
226 |   );
227 |   response.toJSON = () => createResponseToJSON(response);
228 |   return response;
229 | }
230 | async function get(options) {
231 |   const response = await navigator.credentials.get(
232 |     options
233 |   );
234 |   response.toJSON = () => getResponseToJSON(response);
235 |   return response;
236 | }
237 | export {
238 |   create,
239 |   get,
240 |   createRequestFromJSON as parseCreationOptionsFromJSON,
241 |   getRequestFromJSON as parseRequestOptionsFromJSON,
242 |   supported
243 | };
244 | 


--------------------------------------------------------------------------------
/mfa/templates/mfa/auth_FIDO2.html:
--------------------------------------------------------------------------------
 1 | {% load static %}
 2 | 
 3 | <h1>Two-factor authentication</h1>
 4 | <p>When you are ready to authenticate with FIDO2, press the button below.</p>
 5 | 
 6 | <form data-fido2-auth="{{ mfa_data }}" method="POST">
 7 |     {% csrf_token %}
 8 |     {% for error in form.errors %}
 9 |         <p>{{ error }}</p>
10 |     {% endfor %}
11 |     {{ form.code.as_hidden }}
12 |     <button autofocus>Verify</button>
13 |     <a href="{% url 'mfa:auth' 'TOTP' %}">Use TOTP instead</a>
14 |     <a href="{% url 'mfa:auth' 'recovery' %}">Use recovery code instead</a>
15 | </form>
16 | 
17 | <script src="{% static 'mfa/fido2.js' %}" type="module"></script>
18 | 


--------------------------------------------------------------------------------
/mfa/templates/mfa/auth_TOTP.html:
--------------------------------------------------------------------------------
 1 | <h1>Two-factor authentication</h1>
 2 | <p>Open your TOTP app to get an authentication code.</p>
 3 | 
 4 | <form method="POST">
 5 |     {% csrf_token %}
 6 |     {% for error in form.non_field_errors %}
 7 |         <p>{{ error }}</p>
 8 |     {% endfor %}
 9 |     <label>
10 |         {{ form.code.label }}
11 |         {{ form.code }}
12 |     </label>
13 |     <button>Verify</button>
14 |     <a href="{% url 'mfa:auth' 'FIDO2' %}">Use FIDO2 instead</a>
15 |     <a href="{% url 'mfa:auth' 'recovery' %}">Use recovery code instead</a>
16 | </form>
17 | 


--------------------------------------------------------------------------------
/mfa/templates/mfa/auth_recovery.html:
--------------------------------------------------------------------------------
 1 | <h1>Two-factor authentication</h1>
 2 | 
 3 | <p>
 4 |     <strong>WARNING</strong>:
 5 |     The recovery code will be removed after it has been used.
 6 |     Make sure to create a new one after login!
 7 | </p>
 8 | 
 9 | <form method="POST">
10 |     {% csrf_token %}
11 |     {% for error in form.non_field_errors %}
12 |         <p>{{ error }}</p>
13 |     {% endfor %}
14 |     <label>
15 |         {{ form.code.label }}
16 |         {{ form.code }}
17 |     </label>
18 |     <button>Verify</button>
19 |     <a href="{% url 'mfa:auth' 'FIDO2' %}">Use FIDO2 instead</a>
20 |     <a href="{% url 'mfa:auth' 'TOTP' %}">Use TOTP instead</a>
21 | </form>
22 | 


--------------------------------------------------------------------------------
/mfa/templates/mfa/create_FIDO2.html:
--------------------------------------------------------------------------------
 1 | {% load static %}
 2 | 
 3 | <p>You will be prompted to activate the device once you click "create".</p>
 4 | 
 5 | <form data-fido2-create="{{ mfa_data }}" method="POST">
 6 |     {% csrf_token %}
 7 |     {% for error in form.non_field_errors %}
 8 |         <p>{{ error }}</p>
 9 |     {% endfor %}
10 |     <label>
11 |         {{ form.name.label }}
12 |         {{ form.name }}
13 |     </label>
14 |     {{ form.code.as_hidden }}
15 |     <button>Create</button>
16 | </form>
17 | 
18 | <script src="{% static 'mfa/fido2.js' %}" type="module"></script>
19 | 


--------------------------------------------------------------------------------
/mfa/templates/mfa/create_TOTP.html:
--------------------------------------------------------------------------------
 1 | {% load mfa %}
 2 | 
 3 | <p>Scan the code with your TOTP app and enter a valid code to finish registration.</p>
 4 | 
 5 | {{ mfa_data.url|qrcode }}
 6 | {{ mfa_data.secret }}
 7 | 
 8 | <form method="POST">
 9 |     {% csrf_token %}
10 |     {% for error in form.non_field_errors %}
11 |         <p>{{ error }}</p>
12 |     {% endfor %}
13 |     <label>
14 |         {{ form.name.label }}
15 |         {{ form.name }}
16 |     </label>
17 |     <label>
18 |         {{ form.code.label }}
19 |         {{ form.code }}
20 |     </label>
21 |     <button>Create</button>
22 | </form>
23 | 


--------------------------------------------------------------------------------
/mfa/templates/mfa/create_recovery.html:
--------------------------------------------------------------------------------
 1 | {% load mfa %}
 2 | 
 3 | <p>A recovery code can be used when you lose access to your other two-factor authentication options. Each recovery code can only be used once.</p>
 4 | <p>Make sure to store it in a safe place! If you lose your login keys and don’t have the recovery codes you will lose access to your account.</p>
 5 | 
 6 | <form method="POST">
 7 |     {% csrf_token %}
 8 |     {% for error in form.non_field_errors %}
 9 |         <p>{{ error }}</p>
10 |     {% endfor %}
11 |     <label>
12 |         {{ form.name.label }}
13 |         {{ form.name }}
14 |     </label>
15 |     <label>
16 |         {{ form.code.label }}
17 |         <input name="code" value="{{ mfa_data.code }}" readonly>
18 |     </label>
19 |     <label>
20 |         <input type="checkbox" required>
21 |         I have safely stored the code
22 |     </label>
23 |     <button>Create</button>
24 | </form>
25 | 


--------------------------------------------------------------------------------
/mfa/templates/mfa/login_failed_subject.txt:
--------------------------------------------------------------------------------
1 | {% load i18n %}{% autoescape off %}
2 | {% blocktranslate %}Attempted login to {{ site_name }} using a wrong two-factor authentication code{% endblocktranslate %}
3 | {% endautoescape %}


--------------------------------------------------------------------------------
/mfa/templates/mfa/mfakey_confirm_delete.html:
--------------------------------------------------------------------------------
1 | <p>Are you sure you want to delete the key {{ object.name }}?</p>
2 | <form method="POST">
3 |     {% csrf_token %}
4 |     <button>Confirm</button>
5 | </form>
6 | 


--------------------------------------------------------------------------------
/mfa/templates/mfa/mfakey_list.html:
--------------------------------------------------------------------------------
 1 | <h1> {% if object_list %}Login keys configured{% else %}No login keys configured{% endif %}</h1>
 2 | <p>Two-factor authentication adds an additional layer of security to your account by requiring more than just a password to log in.</p>
 3 | 
 4 | {% if object_list|length == 1 %}
 5 |     <p>
 6 |         <strong>WARNING</strong>:
 7 |         You have registered only a single key. If you lose access to that key you won't be able log into your account again.
 8 |         <a href="{% url 'mfa:create' 'recovery' %}">Create recovery code</a>
 9 |     </p>
10 | {% endif %}
11 | 
12 | <ul>
13 |     {% for key in object_list %}
14 |         <li>
15 |             {{ key.name }} ({{ key.method }})
16 |             <a href="{% url 'mfa:delete' key.id %}">Delete</a>
17 |         </li>
18 |     {% endfor %}
19 | </ul>
20 | 
21 | <a href="{% url 'mfa:create' 'TOTP' %}">Create TOTP key</a>
22 | <a href="{% url 'mfa:create' 'FIDO2' %}">Create FIDO2 key</a>
23 | <a href="{% url 'mfa:create' 'recovery' %}">Create recovery code</a>
24 | 


--------------------------------------------------------------------------------
/mfa/templatetags/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xi/django-mfa3/0ef97ebe4f3926550ae83dedf9305f7c62d68c33/mfa/templatetags/__init__.py


--------------------------------------------------------------------------------
/mfa/templatetags/mfa.py:
--------------------------------------------------------------------------------
 1 | import qrcode
 2 | import qrcode.image.svg
 3 | from django import template
 4 | from django.utils.safestring import mark_safe
 5 | 
 6 | register = template.Library()
 7 | 
 8 | 
 9 | @register.filter(name='qrcode')
10 | def get_qrcode(url):
11 |     img = qrcode.make(url, image_factory=qrcode.image.svg.SvgImage)
12 |     s = img.to_string().decode('utf-8')
13 |     i = s.find('<svg')
14 |     return mark_safe(s[i:])
15 | 


--------------------------------------------------------------------------------
/mfa/urls.py:
--------------------------------------------------------------------------------
 1 | from django.urls import path
 2 | 
 3 | from .decorators import public
 4 | from .views import MFAAuthView
 5 | from .views import MFACreateView
 6 | from .views import MFADeleteView
 7 | from .views import MFAListView
 8 | 
 9 | app_name = 'mfa'
10 | urlpatterns = [
11 |     path('', public(MFAListView.as_view()), name='list'),
12 |     path('<int:pk>/delete/', public(MFADeleteView.as_view()), name='delete'),
13 |     path('create/<method>/', public(MFACreateView.as_view()), name='create'),
14 |     path('auth/<method>/', MFAAuthView.as_view(), name='auth'),
15 | ]
16 | 


--------------------------------------------------------------------------------
/mfa/views.py:
--------------------------------------------------------------------------------
  1 | from django.contrib import messages
  2 | from django.contrib.auth import get_user_model
  3 | from django.contrib.auth import login
  4 | from django.contrib.auth import user_login_failed
  5 | from django.contrib.auth.mixins import LoginRequiredMixin
  6 | from django.contrib.auth.views import LoginView as DjangoLoginView
  7 | from django.http import Http404
  8 | from django.shortcuts import get_object_or_404
  9 | from django.shortcuts import redirect
 10 | from django.urls import reverse
 11 | from django.utils.decorators import method_decorator
 12 | from django.utils.functional import cached_property
 13 | from django.utils.translation import gettext_lazy as _
 14 | from django.views.generic import DeleteView
 15 | from django.views.generic import ListView
 16 | 
 17 | from . import settings
 18 | from .decorators import login_not_required
 19 | from .decorators import stronghold_login_not_required
 20 | from .forms import MFAAuthForm
 21 | from .forms import MFACreateForm
 22 | from .mail import send_mail
 23 | from .mixins import MFAFormView
 24 | from .models import MFAKey
 25 | 
 26 | 
 27 | class LoginView(DjangoLoginView):
 28 |     def no_key_exists(self, form):
 29 |         return super().form_valid(form)
 30 | 
 31 |     def form_valid(self, form):
 32 |         user = form.get_user()
 33 |         if not user.mfakey_set.exists():
 34 |             return self.no_key_exists(form)
 35 | 
 36 |         self.request.session['mfa_user'] = {
 37 |             'pk': user.pk,
 38 |             'backend': user.backend,
 39 |         }
 40 |         self.request.session['mfa_success_url'] = self.get_success_url()
 41 |         for method in settings.METHODS:
 42 |             if user.mfakey_set.filter(method=method).exists():
 43 |                 return redirect('mfa:auth', method)
 44 | 
 45 | 
 46 | class MFAListView(LoginRequiredMixin, ListView):
 47 |     model = MFAKey
 48 | 
 49 |     def get_queryset(self):
 50 |         return super().get_queryset().filter(user=self.request.user)
 51 | 
 52 | 
 53 | class MFADeleteView(LoginRequiredMixin, DeleteView):
 54 |     model = MFAKey
 55 | 
 56 |     def get_queryset(self):
 57 |         return super().get_queryset().filter(user=self.request.user)
 58 | 
 59 |     def get_success_url(self):
 60 |         return reverse('mfa:list')
 61 | 
 62 | 
 63 | class MFACreateView(LoginRequiredMixin, MFAFormView):
 64 |     form_class = MFACreateForm
 65 | 
 66 |     def get_template_names(self):
 67 |         return f'mfa/create_{self.method.name}.html'
 68 | 
 69 |     def get_success_url(self):
 70 |         return reverse('mfa:list')
 71 | 
 72 |     def begin(self):
 73 |         return self.method.register_begin(self.request.user)
 74 | 
 75 |     def complete(self, code):
 76 |         return self.method.register_complete(self.challenge[1], code)
 77 | 
 78 |     def form_valid(self, form):
 79 |         MFAKey.objects.create(
 80 |             user=self.request.user,
 81 |             method=self.method.name,
 82 |             name=form.cleaned_data['name'],
 83 |             secret=form.cleaned_data['secret'],
 84 |         )
 85 |         messages.success(self.request, _('Key was created successfully!'))
 86 |         return super().form_valid(form)
 87 | 
 88 | 
 89 | @method_decorator(login_not_required, name='dispatch')
 90 | @method_decorator(stronghold_login_not_required, name='dispatch')
 91 | class MFAAuthView(MFAFormView):
 92 |     form_class = MFAAuthForm
 93 | 
 94 |     def get_template_names(self):
 95 |         return f'mfa/auth_{self.method.name}.html'
 96 | 
 97 |     def get_success_url(self):
 98 |         success_url = self.request.session.pop('mfa_success_url')
 99 |         if self.method.name == 'recovery':
100 |             return reverse('mfa:list')
101 |         else:
102 |             return success_url
103 | 
104 |     @cached_property
105 |     def user(self):
106 |         try:
107 |             user_data = self.request.session['mfa_user']
108 |         except KeyError as e:
109 |             raise Http404 from e
110 |         User = get_user_model()
111 |         user = get_object_or_404(User, pk=user_data['pk'])
112 |         user.backend = user_data['backend']
113 |         return user
114 | 
115 |     def begin(self):
116 |         return self.method.authenticate_begin(self.user)
117 | 
118 |     def complete(self, code):
119 |         return self.method.authenticate_complete(
120 |             self.challenge[1], self.user, code,
121 |         )
122 | 
123 |     def form_invalid(self, form):
124 |         user_login_failed.send(
125 |             sender=__name__,
126 |             credentials={'username': self.user.get_username()},
127 |             request=self.request,
128 |         )
129 |         send_mail(self.user, self.method)
130 |         return super().form_invalid(form)
131 | 
132 |     def form_valid(self, form):
133 |         login(self.request, self.user)
134 |         del self.request.session['mfa_user']
135 |         return super().form_valid(form)
136 | 


--------------------------------------------------------------------------------
/pyproject.toml:
--------------------------------------------------------------------------------
 1 | [build-system]
 2 | requires = ["setuptools"]
 3 | build-backend = "setuptools.build_meta"
 4 | 
 5 | [project]
 6 | name = "django-mfa3"
 7 | version = "1.0.0"
 8 | description = "multi factor authentication for django"
 9 | readme = "README.md"
10 | license = {text = "MIT"}
11 | keywords = ["django", "mfa", "two-factor-authentication", "webauthn", "fido2"]
12 | authors = [
13 |     {name = "Tobias Bengfort", email = "tobias.bengfort@posteo.de"},
14 | ]
15 | classifiers = [
16 |     "Development Status :: 4 - Beta",
17 |     "Environment :: Web Environment",
18 |     "Framework :: Django",
19 |     "Intended Audience :: Developers",
20 |     "License :: OSI Approved :: MIT License",
21 |     "Operating System :: OS Independent",
22 |     "Programming Language :: Python",
23 |     "Programming Language :: Python :: 3",
24 | ]
25 | dependencies = [
26 |     "pyotp",
27 |     "fido2>=2.0,<3.0",
28 |     # https://github.com/lincolnloop/python-qrcode/issues/317
29 |     "qrcode>=7.1,<7.4",
30 |     "django>=3.2",
31 | ]
32 | 
33 | [project.urls]
34 | Homepage = "https://github.com/xi/django-mfa3"
35 | 
36 | [tool.setuptools.packages.find]
37 | include = ["mfa*"]
38 | 
39 | [tool.setuptools.package-data]
40 | mfa = [
41 |     "templates/**/*.html",
42 |     "templates/**/*.txt",
43 |     "static/**/*.js",
44 |     "locale/**/*.po",
45 |     "locale/**/*.mo",
46 | ]
47 | 
48 | [tool.ruff]
49 | exclude = ["migrations"]
50 | 
51 | [tool.ruff.lint]
52 | select = ["E", "F", "W", "C9", "I", "Q", "UP", "RUF"]
53 | ignore = ["RUF012"]
54 | 
55 | [tool.ruff.lint.flake8-quotes]
56 | inline-quotes = "single"
57 | 
58 | [tool.ruff.lint.isort]
59 | force-single-line = true
60 | 
61 | [tool.coverage.run]
62 | source = ["mfa"]
63 | 


--------------------------------------------------------------------------------
/tests/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xi/django-mfa3/0ef97ebe4f3926550ae83dedf9305f7c62d68c33/tests/__init__.py


--------------------------------------------------------------------------------
/tests/settings.py:
--------------------------------------------------------------------------------
 1 | from pathlib import Path
 2 | 
 3 | import django
 4 | 
 5 | DEBUG = True
 6 | 
 7 | DATABASES = {
 8 |     'default': {
 9 |         'ENGINE': 'django.db.backends.sqlite3',
10 |         'NAME': ':memory:',
11 |     }
12 | }
13 | 
14 | EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
15 | 
16 | MIDDLEWARE = [
17 |     'django.middleware.common.CommonMiddleware',
18 |     'django.contrib.sessions.middleware.SessionMiddleware',
19 |     'django.contrib.auth.middleware.AuthenticationMiddleware',
20 |     'django.contrib.messages.middleware.MessageMiddleware',
21 |     'mfa.middleware.MFAEnforceMiddleware',
22 | ]
23 | 
24 | if django.VERSION >= (5, 1):
25 |     MIDDLEWARE.append('django.contrib.auth.middleware.LoginRequiredMiddleware')
26 | 
27 | AUTHENTICATION_BACKENDS = [
28 |     'django.contrib.auth.backends.ModelBackend',
29 | ]
30 | 
31 | PASSWORD_HASHERS = ['django.contrib.auth.hashers.MD5PasswordHasher']
32 | 
33 | ROOT_URLCONF = 'tests.urls'
34 | 
35 | INSTALLED_APPS = [
36 |     'django.contrib.auth',
37 |     'django.contrib.contenttypes',
38 |     'django.contrib.sessions',
39 |     'django.contrib.messages',
40 |     'django.contrib.admin',
41 |     'mfa',
42 | ]
43 | 
44 | TEMPLATES = [
45 |     {
46 |         'BACKEND': 'django.template.backends.django.DjangoTemplates',
47 |         'DIRS': [Path(__file__).parent / 'templates'],
48 |         'APP_DIRS': True,
49 |         'OPTIONS': {
50 |             'context_processors': [
51 |                 'django.template.context_processors.debug',
52 |                 'django.template.context_processors.request',
53 |                 'django.contrib.auth.context_processors.auth',
54 |                 'django.contrib.messages.context_processors.messages',
55 |             ]
56 |         },
57 |     }
58 | ]
59 | 
60 | SECRET_KEY = 'too-secret-for-test'
61 | SITE_ID = 1
62 | 
63 | USE_I18N = False
64 | USE_L10N = False
65 | USE_TZ = False
66 | 
67 | LOGIN_URL = '/login/'
68 | LOGIN_REDIRECT_URL = '/'
69 | 
70 | DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'
71 | 
72 | MFA_DOMAIN = 'localhost'
73 | MFA_SITE_TITLE = 'Tests'
74 | 


--------------------------------------------------------------------------------
/tests/templates/mfa/login_failed_email.txt:
--------------------------------------------------------------------------------
 1 | Dear {{ user.username }},
 2 | 
 3 | We detected an attempt to log in to your account on {{ site_name }}
 4 | ({{ domain }}) using a wrong two-factor authentication code. This means someone
 5 | managed to enter the correct password, but failed at {{ method }}.
 6 | 
 7 | If this was you and you entered a wrong two-factor authentication code by
 8 | accident, you may ignore this email.
 9 | 
10 | If this was not you, we strongly recommend to change your password.
11 | 


--------------------------------------------------------------------------------
/tests/templates/registration/login.html:
--------------------------------------------------------------------------------
1 | <form method="POST">
2 |     {% csrf_token %}
3 | 
4 |     {{ form }}
5 |     <input type="hidden" name="next" value="{{ next }}">
6 |     <button>Login</button>
7 | </form>
8 | 


--------------------------------------------------------------------------------
/tests/tests.py:
--------------------------------------------------------------------------------
  1 | import pyotp
  2 | from django.contrib.auth.hashers import make_password
  3 | from django.contrib.auth.models import User
  4 | from django.core import mail
  5 | from django.test import TestCase
  6 | from fido2.server import _verify_origin_for_rp
  7 | 
  8 | from mfa.mail import send_mail
  9 | from mfa.methods import fido2
 10 | from mfa.models import MFAKey
 11 | from mfa.templatetags.mfa import get_qrcode
 12 | 
 13 | 
 14 | class MFATestCase(TestCase):
 15 |     def setUp(self):
 16 |         self.user = User.objects.create_user('test', password='password')
 17 | 
 18 |     def login(self):
 19 |         return self.client.post('/login/', {
 20 |             'username': 'test',
 21 |             'password': 'password',
 22 |         })
 23 | 
 24 |     def assert_not_logged_in(self):
 25 |         res = self.client.get('/')
 26 |         self.assertEqual(res.status_code, 302)
 27 |         self.assertEqual(res.url, '/login/?next=/')
 28 | 
 29 | 
 30 | class TOTPAuthViewTest(MFATestCase):
 31 |     def setUp(self):
 32 |         super().setUp()
 33 |         self.key = MFAKey.objects.create(
 34 |             user=self.user,
 35 |             method='TOTP',
 36 |             name='test',
 37 |             secret=pyotp.random_base32(),
 38 |         )
 39 |         self.totp = pyotp.TOTP(self.key.secret)
 40 | 
 41 |     def test_happy_flow(self):
 42 |         res = self.login()
 43 |         self.assertEqual(res.status_code, 302)
 44 |         self.assertEqual(res.url, '/mfa/auth/TOTP/')
 45 | 
 46 |         res = self.client.get('/mfa/auth/TOTP/')
 47 |         self.assertEqual(res.status_code, 200)
 48 | 
 49 |         res = self.client.post('/mfa/auth/TOTP/', {'code': self.totp.now()})
 50 |         self.assertEqual(res.status_code, 302)
 51 |         self.assertEqual(res.url, '/')
 52 | 
 53 |         res = self.client.get('/')
 54 |         self.assertEqual(res.status_code, 204)
 55 | 
 56 |     def test_invalid_method(self):
 57 |         self.login()
 58 |         res = self.client.get('/mfa/auth/INVALID/')
 59 |         self.assertEqual(res.status_code, 404)
 60 | 
 61 |     def test_not_logged_in_before_mfa_auth(self):
 62 |         self.login()
 63 |         self.assert_not_logged_in()
 64 | 
 65 |     def test_no_auth_without_login(self):
 66 |         res = self.client.get('/mfa/auth/TOTP/')
 67 |         self.assertEqual(res.status_code, 404)
 68 | 
 69 |     def test_no_auth_without_challenge(self):
 70 |         self.login()
 71 | 
 72 |         res = self.client.post('/mfa/auth/TOTP/', {'code': self.totp.now()})
 73 |         self.assertEqual(res.status_code, 404)
 74 |         self.assert_not_logged_in()
 75 | 
 76 |     def test_wrong_code(self):
 77 |         self.login()
 78 | 
 79 |         res = self.client.get('/mfa/auth/TOTP/')
 80 |         self.assertEqual(res.status_code, 200)
 81 | 
 82 |         res = self.client.post('/mfa/auth/TOTP/', {'code': 'invalid'})
 83 |         self.assertEqual(res.status_code, 200)
 84 |         self.assert_not_logged_in()
 85 | 
 86 | 
 87 | class TOTPCreateViewTest(MFATestCase):
 88 |     def test_happy_flow(self):
 89 |         self.client.force_login(self.user)
 90 | 
 91 |         res = self.client.get('/mfa/create/TOTP/')
 92 |         self.assertEqual(res.status_code, 200)
 93 |         totp = pyotp.TOTP(res.context['mfa_data']['secret'])
 94 | 
 95 |         res = self.client.post('/mfa/create/TOTP/', {
 96 |             'name': 'test',
 97 |             'code': totp.now()
 98 |         })
 99 |         self.assertEqual(res.status_code, 302)
100 |         self.assertEqual(res.url, '/mfa/')
101 | 
102 |         self.assertEqual(MFAKey.objects.count(), 1)
103 | 
104 |     def test_not_logged_in(self):
105 |         res = self.client.get('/mfa/create/TOTP/')
106 |         self.assertEqual(res.status_code, 302)
107 |         self.assertEqual(res.url, '/login/?next=/mfa/create/TOTP/')
108 | 
109 |     def test_no_create_without_challenge(self):
110 |         self.client.force_login(self.user)
111 | 
112 |         res = self.client.post('/mfa/create/TOTP/', {
113 |             'name': 'test',
114 |             'code': 'invalid',
115 |         })
116 |         self.assertEqual(res.status_code, 404)
117 |         self.assertEqual(MFAKey.objects.count(), 0)
118 | 
119 |     def test_wrong_code(self):
120 |         self.client.force_login(self.user)
121 | 
122 |         res = self.client.get('/mfa/create/TOTP/')
123 | 
124 |         res = self.client.post('/mfa/create/TOTP/', {
125 |             'name': 'test',
126 |             'code': 'invalid',
127 |         })
128 |         self.assertEqual(res.status_code, 200)
129 |         self.assertEqual(MFAKey.objects.count(), 0)
130 | 
131 |     def test_new_challenge_on_get(self):
132 |         self.client.force_login(self.user)
133 | 
134 |         res = self.client.get('/mfa/create/TOTP/')
135 |         secret1 = res.context['mfa_data']['secret']
136 | 
137 |         res = self.client.get('/mfa/create/TOTP/')
138 |         secret2 = res.context['mfa_data']['secret']
139 | 
140 |         self.assertNotEqual(secret1, secret2)
141 | 
142 |         totp = pyotp.TOTP(secret1)
143 |         self.client.post('/mfa/create/TOTP/', {
144 |             'name': 'test',
145 |             'code': totp.now()
146 |         })
147 |         self.assertEqual(MFAKey.objects.count(), 0)
148 | 
149 |     def test_keep_challenge_on_validation(self):
150 |         self.client.force_login(self.user)
151 | 
152 |         res = self.client.get('/mfa/create/TOTP/')
153 |         secret1 = res.context['mfa_data']['secret']
154 | 
155 |         res = self.client.post('/mfa/create/TOTP/', {
156 |             'name': 'test',
157 |             'code': 'invalid',
158 |         })
159 |         secret2 = res.context['mfa_data']['secret']
160 |         self.assertEqual(secret1, secret2)
161 | 
162 |         totp = pyotp.TOTP(secret1)
163 |         self.client.post('/mfa/create/TOTP/', {
164 |             'name': 'test',
165 |             'code': totp.now()
166 |         })
167 |         self.assertEqual(MFAKey.objects.count(), 1)
168 | 
169 | 
170 | class FIDO2Test(MFATestCase):
171 |     # I have no clue how to simulate a FIDO2 authenticator,
172 |     # so these are just some smoke tests.
173 | 
174 |     def test_login_redirect(self):
175 |         self.key = MFAKey.objects.create(
176 |             user=self.user,
177 |             method='FIDO2',
178 |             name='test',
179 |             secret='mock',
180 |         )
181 |         res = self.login()
182 |         self.assertEqual(res.status_code, 302)
183 |         self.assertEqual(res.url, '/mfa/auth/FIDO2/')
184 | 
185 |     def test_create(self):
186 |         self.client.force_login(self.user)
187 |         res = self.client.get('/mfa/create/FIDO2/')
188 |         self.assertEqual(res.status_code, 200)
189 | 
190 |     def test_origin_https(self):
191 |         for domain, value, expected in [
192 |             ('example.com', 'https://example.com', True),
193 |             ('example.com', 'http://example.com', False),
194 |             ('example.com', 'http://localhost:8000', False),
195 |             ('localhost', 'https://example.com', False),
196 |             ('localhost', 'http://localhost:8000', True),
197 |             ('localhost', 'http://127.0.0.1', False),
198 |             ('localhost', 'http://foo.localhost', True),
199 |             ('127.0.0.1', 'http://127.0.0.1', False),
200 |             ('foo.localhost', 'http://foo.localhost', True),
201 |         ]:
202 |             with self.subTest(domain=domain, value=value):
203 |                 verify = _verify_origin_for_rp(domain)
204 |                 self.assertEqual(verify(value), expected)
205 | 
206 | 
207 | class RecoveryTest(MFATestCase):
208 |     def test_create(self):
209 |         self.client.force_login(self.user)
210 | 
211 |         res = self.client.get('/mfa/create/recovery/')
212 |         self.assertEqual(res.status_code, 200)
213 |         code = res.context['mfa_data']['code']
214 |         self.assertEqual(len(code), 11)
215 | 
216 |         res = self.client.post('/mfa/create/recovery/', {
217 |             'name': 'test',
218 |             'code': 'invalid',
219 |         })
220 |         self.assertEqual(res.status_code, 200)
221 | 
222 |         res = self.client.post('/mfa/create/recovery/', {
223 |             'name': 'test',
224 |             'code': code,
225 |         })
226 |         self.assertEqual(res.status_code, 302)
227 |         self.assertEqual(res.url, '/mfa/')
228 | 
229 |         self.assertEqual(MFAKey.objects.count(), 1)
230 | 
231 |     def test_authenticate(self):
232 |         MFAKey.objects.create(
233 |             user=self.user,
234 |             method='FIDO2',
235 |             name='test',
236 |             secret='mock',
237 |         )
238 |         MFAKey.objects.create(
239 |             user=self.user,
240 |             method='recovery',
241 |             name='recovery',
242 |             secret=make_password('123456'),
243 |         )
244 | 
245 |         res = self.login()
246 |         self.assertEqual(res.status_code, 302)
247 | 
248 |         res = self.client.get('/mfa/auth/recovery/')
249 |         self.assertEqual(res.status_code, 200)
250 | 
251 |         res = self.client.post('/mfa/auth/recovery/', {'code': 'invalid'})
252 |         self.assertEqual(res.status_code, 200)
253 | 
254 |         res = self.client.post('/mfa/auth/recovery/', {'code': '123456'})
255 |         self.assertEqual(res.status_code, 302)
256 |         self.assertEqual(res.url, '/mfa/')
257 | 
258 |         res = self.client.get('/')
259 |         self.assertEqual(res.status_code, 204)
260 | 
261 |         self.assertEqual(MFAKey.objects.count(), 1)
262 | 
263 | 
264 | class MFAEnforceMiddlewareTest(MFATestCase):
265 |     def test_redirect(self):
266 |         self.login()
267 |         res = self.client.get('/')
268 |         self.assertEqual(res.status_code, 302)
269 |         self.assertEqual(res.url, '/mfa/')
270 | 
271 |     def test_public(self):
272 |         self.login()
273 |         res = self.client.post('/logout/')
274 |         self.assertEqual(res.status_code, 302)
275 |         self.assertEqual(res.url, '/')
276 | 
277 | 
278 | class PatchAdminTest(TestCase):
279 |     def test_root(self):
280 |         res = self.client.get('/admin/')
281 |         self.assertEqual(res.status_code, 302)
282 |         self.assertEqual(res.url, '/admin/login/?next=/admin/')
283 | 
284 |         res = self.client.get(res.url)
285 |         self.assertEqual(res.status_code, 302)
286 |         self.assertEqual(res.url, '/login/?next=/admin/')
287 | 
288 |     def test_app(self):
289 |         res = self.client.get('/admin/mfa/')
290 |         self.assertEqual(res.status_code, 302)
291 |         self.assertEqual(res.url, '/admin/login/?next=/admin/mfa/')
292 | 
293 |         res = self.client.get(res.url)
294 |         self.assertEqual(res.status_code, 302)
295 |         self.assertEqual(res.url, '/login/?next=/admin/mfa/')
296 | 
297 |     def test_login(self):
298 |         res = self.client.get('/admin/login/')
299 |         self.assertEqual(res.status_code, 302)
300 |         self.assertEqual(res.url, '/login/?next=/admin/')
301 | 
302 | 
303 | class ListViewTest(MFATestCase):
304 |     def test_list_view(self):
305 |         self.client.force_login(self.user)
306 |         MFAKey.objects.create(
307 |             user=self.user,
308 |             method='recovery',
309 |             name='recovery',
310 |             secret=make_password('123456'),
311 |         )
312 |         res = self.client.get('/mfa/')
313 |         self.assertEqual(res.status_code, 200)
314 |         self.assertEqual(res.content.count(b'<li>'), 1)
315 | 
316 | 
317 | class DeleteViewTest(MFATestCase):
318 |     def test_delete_view(self):
319 |         self.client.force_login(self.user)
320 |         key = MFAKey.objects.create(
321 |             user=self.user,
322 |             method='recovery',
323 |             name='recovery',
324 |             secret=make_password('123456'),
325 |         )
326 |         res = self.client.post(f'/mfa/{key.pk}/delete/')
327 |         self.assertEqual(res.status_code, 302)
328 |         self.assertEqual(res.url, '/mfa/')
329 |         self.assertEqual(MFAKey.objects.filter(pk=key.pk).count(), 0)
330 | 
331 | 
332 | class QRCodeTest(TestCase):
333 |     def test_is_svg(self):
334 |         code = get_qrcode('some_data')
335 |         self.assertTrue(code.startswith('<svg'))
336 |         self.assertTrue(code.endswith('</svg>'))
337 | 
338 | 
339 | class MailTest(TestCase):
340 |     def setUp(self):
341 |         self.user = User.objects.create_user(
342 |             'test', password='password', email='test@example.com'
343 |         )
344 | 
345 |     def test_send_mail(self):
346 |         count = send_mail(self.user, fido2)
347 |         self.assertEqual(count, 1)
348 | 
349 |         message = mail.outbox[0]
350 |         self.assertEqual(message.to, ['test@example.com'])
351 |         self.assertEqual(message.subject, 'Attempted login to Tests using a wrong two-factor authentication code')  # noqa
352 |         self.assertEqual(message.body, """Dear test,
353 | 
354 | We detected an attempt to log in to your account on Tests
355 | (localhost) using a wrong two-factor authentication code. This means someone
356 | managed to enter the correct password, but failed at FIDO2.
357 | 
358 | If this was you and you entered a wrong two-factor authentication code by
359 | accident, you may ignore this email.
360 | 
361 | If this was not you, we strongly recommend to change your password.
362 | """)
363 | 


--------------------------------------------------------------------------------
/tests/urls.py:
--------------------------------------------------------------------------------
 1 | from django.contrib import admin
 2 | from django.contrib.auth.decorators import login_required
 3 | from django.contrib.auth.views import LogoutView
 4 | from django.http import HttpResponse
 5 | from django.urls import include
 6 | from django.urls import path
 7 | 
 8 | from mfa.decorators import public
 9 | from mfa.views import LoginView
10 | 
11 | 
12 | def dummy(request):
13 |     return HttpResponse(status=204)
14 | 
15 | 
16 | urlpatterns = [
17 |     path('', login_required(dummy)),
18 |     path('login/', LoginView.as_view()),
19 |     path('logout/', public(LogoutView.as_view(next_page='/'))),
20 |     path('admin/', admin.site.urls),
21 |     path('mfa/', include('mfa.urls', namespace='mfa')),
22 | ]
23 | 


--------------------------------------------------------------------------------