Skip to content
This repository has been archived by the owner on Jul 30, 2024. It is now read-only.

Add Two Factor Authentication #842

Open
wants to merge 33 commits into
base: develop
Choose a base branch
from

Conversation

TillerBurr
Copy link

Rebased #773 and #522
This PR solves: #496

Much of the CI Failures were due to formatting issues. Also contains the following:

@ghost
Copy link

ghost commented May 27, 2019

Thanks for this awesome PR.

Do you consider making this pull to the Flask-Security-Too fork at https://github.com/jwag956/flask-security?

The fork is more active. See #822.

Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some minor spelling errors.

There is also a mix between 'two factor' and 'two-factor'.

docs/configuration.rst Outdated Show resolved Hide resolved
the verify code page for the two factor
authentication process. Defaults to
``security/two_factor_verify_code
.html``.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a space too much which breaks the line.

``SECURITY_TWO_FACTOR_CHOOSE_METHOD_TEMPLT`` Specifies the path to the template for
the choose method page for the two
factor authentication process. Defaults
to ``security/two_factor_choose_method
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a space too much which breaks the line.

``SECURITY_TWO_FACTOR_CHANGE_METHOD_TEMPLATE`` Specifies the path to the template for
the change method page for the two
factor authentication process. Defaults
to ``security/two_factor_change_method_
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a space too much which breaks the line.

Copy link
Author

@TillerBurr TillerBurr May 28, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I didn't change much on the docs, mostly just to make sure that the CI tests pass. I've made some changes to the codebase.

@TillerBurr
Copy link
Author

The main reason that I did not make a pull request to https://github.com/jwag956/flask-security was that in #822 @lnielsen was added as an admin/maintainter on the various sites. I can definitely make a pull request to Flask-Security-Too.

@jwag956
Copy link
Collaborator

jwag956 commented May 28, 2019

I would be happy to help get your change into flask-security-too. I have been trying to work with current flask-security maintainers but so far to no avail - so I have decided at least for now to go off and formalize my fork.
I am working on a 3.2.0 release that will contain a few feature improvements - in particular support for Single-Page-Applications (more complete json support) as well as documentation improvements, and a contributed authentication token cache.
Adding 2-factor to 3.2.0 should be doable and I hope to get that release out in the next couple weeks.

Please be aware that on my fork - I need PRs against MASTER (not develop). Hopefully most of non-feature related code changes won't be necessary.

I have a rc1 for 3.2.0 on pypi:

https://pypi.org/project/Flask-Security-Too/#history

which currently is based off of master branch.

Copy link
Collaborator

@jwag956 jwag956 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing I am not completely sure about is how/what needs to be done to update translations - obviously you cant do all languages - but I think you need to update flask_security.pot at least with your new messages.



def generate_totp():
return base64.b32encode(os.urandom(10)).decode('utf-8')
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this should be in code - different applications will have different requirements here. For example in 3.6 there is now a secrets module that is probably better...

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All I did was rebase the old pull requests to get them working and passing the CI tests. I can work on this at some point, but not sure when I will be able to get to them.

"""generate the qrcode for the two-factor authentication process"""
if 'google_authenticator' not in\
config_value('TWO_FACTOR_ENABLED_METHODS'):
return abort(404)
Copy link
Collaborator

@jwag956 jwag956 May 28, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general I think that utility functions like this should NOT be assuming a request context - rather throw an exception to the caller?

pass


def get_totp_uri(username, totp_secret):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question - did you consider using passlib.totp classes rather than rolling your own?

# if user's two-factor properties are not configured
if user.two_factor_primary_method is None or user.totp_secret is None:
session['has_two_factor'] = False
return redirect(url_for('two_factor_setup_function'))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't JSON friendly!

requirements.txt Outdated
@@ -1,3 +1,11 @@
# Trick for ReadTheDocs to install all requirements:
Flask>=0.9
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these shouldn't be necessary.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought I had changed that back. I'm reverting it

@TillerBurr
Copy link
Author

Thank you for your help. This is not my initial code and I am kind of jumping into it without understanding what the original author was trying to do.

@jwag956
Copy link
Collaborator

jwag956 commented May 28, 2019

Let me know when you believe you are done - and I will cherry-pick that over to my fork. It will be a bit of a mess due to all the non-2FA changes - but shouldn't be too hard.
I assume you have an app that actually uses this so you can test that it actually works?

@TillerBurr
Copy link
Author

TillerBurr commented May 29, 2019

@jwag956 I've got it passing all of the CI tests and I've tested it in an app that isn't a SPA. The force push from earlier was just to squash a bunch of smaller commits that I was working through with the CI.

I was trying to locally merge your fork with my current branch, but at this point there is too much of a difference to try to merge without stepping on your toes. If this gets merged into your fork, I will try to keep an eye on it. There is much that can be improved on the backend, e.g. hashing the totp_secret, not storing it on the user model etc. but I think this is a good start.

@jwag956
Copy link
Collaborator

jwag956 commented May 30, 2019

That was painful - doing a rebase rather than cherry-pick - in any case - I have a PR up - made minor changes, and had to fix some doc stuff since my CI actually verifies that the docs build!

In my PR I added a bunch of questions that I could use your help on. I am mostly concerned about things that if we change later would not be backwards compatible.

Also - please look at:
https://coveralls.io/builds/23685029

looks like we need some more unit tests!

@TillerBurr
Copy link
Author

I can do this on your fork as well. As far as syntax checking, I am currently using vscode and it sometimes throws a bunch of unresolved imports that aren't true. I try to catch them, but apparently I seem to enjoy missing them.

@jwag956
Copy link
Collaborator

jwag956 commented May 31, 2019 via email

jwag956 referenced this pull request in pallets-eco/flask-security May 31, 2019
* docs: release date and block fixes

* i18n: added Chinese-Simple translation

* Update messages.po

change language from 'zh_Hans_CN' to 'zh_CN'

* rename nl_NL/LC_MESSAGES/messages.po and zh_Hans_CN/LC_MESSAGES/messages.po

* Security two factor authentication feature

* supporting two factor authentication:

* Support Mail, SMS, or Google Authenticator second factor authentication.

* Ability to change second factor authentication to existing users 

* Provide rescue mail in case of lost phone

* update docs with two factor authentication changes

* updating requirements, authors

* adding two_factor test

* improving tests coverage

* fix double import and unused import, revert get_user

* fix missing setup.py install_requires

* fix TestMail (remove __init_)

* formatting

* more formatting

* too many blank lines

* formatting forms.py

* signals line length

* twofactor formatting

* utils formatting

* update twilio client import

* missing import

* blueprint line length (twofactor)

* line too long/import/authors inadv. deleted

* conftest.py allow nulls in sqlalchemy

* Spelling, Update Functions and Tests Python 3.7 Support

request.json->request.get_json
update tests to use hash_password
pep8 compliance
Update dependencies for tests
move from pyenchant to msgcheck

* Update docs/configuration.rst

Co-Authored-By: malware-watch <[email protected]>

* consistent two-factor

* .gitignore .venv/

* fixes.  passlib.totp, if not request.is_json

* translation stubs for new messages

* Make two-factor login more JSON friendly

* feature - merge in two factor auth.

These changes are mostly docs and cleanup.

* remove pyqrcode, onetimepass from install requires

check imports if TWO_FACTOR is True

* Minor doc fixes.

Increase sizes of examples for 2FA phone and secret.

* whitespace

* feature - merge in two factor auth.

These changes are mostly docs and cleanup.

* Fix formatting.
Copy link

@miceno miceno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

Copy link

@miceno miceno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@posix4e
Copy link

posix4e commented Feb 20, 2020

what's going on here?

@TillerBurr
Copy link
Author

Project is pretty much abandoned. An updated fork is here: https://github.com/jwag956/flask-security.
It contains the above pull request and many other improvements.

@katesinclair91
Copy link

katesinclair91 commented Nov 15, 2020

Project is pretty much abandoned. An updated fork is here: https://github.com/jwag956/flask-security.
It contains the above pull request and many other improvements.

Luckily. i read the pull requests and found this comment. Else i will be stuck on old. :D

jasco pushed a commit to jasco/flask-security that referenced this pull request Oct 3, 2023
Although OWASP still recommends that reset password and confirmation links have the no-referrer header option set - this causes issues with HTTPS and Flask-WTF that requires a referrer header.
Also - for the past 5 years, the browser default for Referrer-Policy is 'strict-origin-when-cross-origin' which should be enough to mitigate any possible Referrer leakage.

closes pallets-eco#829
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

Successfully merging this pull request may close these issues.

6 participants