Add Two Factor Authentication #842
Conversation
* supporting two factor authentication: * Support Mail, SMS, or Google Authenticator second factor authentication. * Ability to change second factor authentication to existing users * Provide rescue mail in case of lost phone * update docs with two factor authentication changes * updating requirements, authors * adding two_factor test * improving tests coverage
request.json->request.get_json update tests to use hash_password pep8 compliance Update dependencies for tests move from pyenchant to msgcheck
|
Thanks for this awesome PR. Do you consider making this pull to the Flask-Security-Too fork at https://github.com/jwag956/flask-security? The fork is more active. See #822. |
docs/configuration.rst
Outdated
| the verify code page for the two factor | ||
| authentication process. Defaults to | ||
| ``security/two_factor_verify_code | ||
| .html``. |
There was a problem hiding this comment.
There is a space too much which breaks the line.
docs/configuration.rst
Outdated
| ``SECURITY_TWO_FACTOR_CHOOSE_METHOD_TEMPLT`` Specifies the path to the template for | ||
| the choose method page for the two | ||
| factor authentication process. Defaults | ||
| to ``security/two_factor_choose_method |
There was a problem hiding this comment.
There is a space too much which breaks the line.
docs/configuration.rst
Outdated
| ``SECURITY_TWO_FACTOR_CHANGE_METHOD_TEMPLATE`` Specifies the path to the template for | ||
| the change method page for the two | ||
| factor authentication process. Defaults | ||
| to ``security/two_factor_change_method_ |
There was a problem hiding this comment.
There is a space too much which breaks the line.
There was a problem hiding this comment.
Thanks. I didn't change much on the docs, mostly just to make sure that the CI tests pass. I've made some changes to the codebase.
Co-Authored-By: malware-watch <[email protected]>
|
The main reason that I did not make a pull request to https://github.com/jwag956/flask-security was that in #822 @lnielsen was added as an admin/maintainter on the various sites. I can definitely make a pull request to Flask-Security-Too. |
|
I would be happy to help get your change into flask-security-too. I have been trying to work with current flask-security maintainers but so far to no avail - so I have decided at least for now to go off and formalize my fork. Please be aware that on my fork - I need PRs against MASTER (not develop). Hopefully most of non-feature related code changes won't be necessary. I have a rc1 for 3.2.0 on pypi: https://pypi.org/project/Flask-Security-Too/#history which currently is based off of master branch. |
|
|
||
|
|
||
| def generate_totp(): | ||
| return base64.b32encode(os.urandom(10)).decode('utf-8') |
There was a problem hiding this comment.
I don't think this should be in code - different applications will have different requirements here. For example in 3.6 there is now a secrets module that is probably better...
There was a problem hiding this comment.
All I did was rebase the old pull requests to get them working and passing the CI tests. I can work on this at some point, but not sure when I will be able to get to them.
flask_security/twofactor.py
Outdated
| """generate the qrcode for the two-factor authentication process""" | ||
| if 'google_authenticator' not in\ | ||
| config_value('TWO_FACTOR_ENABLED_METHODS'): | ||
| return abort(404) |
There was a problem hiding this comment.
In general I think that utility functions like this should NOT be assuming a request context - rather throw an exception to the caller?
| pass | ||
|
|
||
|
|
||
| def get_totp_uri(username, totp_secret): |
There was a problem hiding this comment.
Question - did you consider using passlib.totp classes rather than rolling your own?
flask_security/views.py
Outdated
| # if user's two-factor properties are not configured | ||
| if user.two_factor_primary_method is None or user.totp_secret is None: | ||
| session['has_two_factor'] = False | ||
| return redirect(url_for('two_factor_setup_function')) |
There was a problem hiding this comment.
This isn't JSON friendly!
requirements.txt
Outdated
| @@ -1,3 +1,11 @@ | |||
| # Trick for ReadTheDocs to install all requirements: | |||
| Flask>=0.9 | |||
There was a problem hiding this comment.
these shouldn't be necessary.
There was a problem hiding this comment.
I thought I had changed that back. I'm reverting it
|
Thank you for your help. This is not my initial code and I am kind of jumping into it without understanding what the original author was trying to do. |
|
Let me know when you believe you are done - and I will cherry-pick that over to my fork. It will be a bit of a mess due to all the non-2FA changes - but shouldn't be too hard. |
|
@jwag956 I've got it passing all of the CI tests and I've tested it in an app that isn't a SPA. The force push from earlier was just to squash a bunch of smaller commits that I was working through with the CI. I was trying to locally merge your fork with my current branch, but at this point there is too much of a difference to try to merge without stepping on your toes. If this gets merged into your fork, I will try to keep an eye on it. There is much that can be improved on the backend, e.g. hashing the totp_secret, not storing it on the user model etc. but I think this is a good start. |
|
That was painful - doing a rebase rather than cherry-pick - in any case - I have a PR up - made minor changes, and had to fix some doc stuff since my CI actually verifies that the docs build! In my PR I added a bunch of questions that I could use your help on. I am mostly concerned about things that if we change later would not be backwards compatible. Also - please look at: looks like we need some more unit tests! |
|
I can do this on your fork as well. As far as syntax checking, I am currently using vscode and it sometimes throws a bunch of unresolved imports that aren't true. I try to catch them, but apparently I seem to enjoy missing them. |
|
Thanks - that would be great.
I use Pycharm and it also sometimes makes mistakes - but if you run the
code - doesn't it work/throw an error? I guess I am just asking why
commit/push just to check if it runs?
I both run from PyCharm - but also, to check pep8 etc - I run python
setup.py test before committing...
let me know if you run into any issues on my fork. Just work on the same
branch (baurt) - I think it will let you - I just added you as a
collaborator.
…On Thu, May 30, 2019 at 7:10 AM Tyler Baur ***@***.***> wrote:
I can do this on your fork as well. As far as syntax checking, I am
currently using vscode and it sometimes throws a bunch of unresolved
imports that aren't true. I try to catch them, but apparently I seem to
enjoy missing them.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#842>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHU2T5P6RQP7IHIVJVKL2DPX7N6DANCNFSM4HODXFRQ>
.
--
Chris Wagner
The land embracing Point Lobos was bought for inclusion in the State Park
System (a) because the very peculiar physical characteristics of the
locality have enabled many people to obtain here personal satisfactions of
peculiar kinds which they have valued very highly, and of which the most
highly valued are unobtainable elsewhere in like degree if at all, ...
Point Lobos Reserve Master Plan Report - Olmsted Brothers,
November, 1935
|
* docs: release date and block fixes * i18n: added Chinese-Simple translation * Update messages.po change language from 'zh_Hans_CN' to 'zh_CN' * rename nl_NL/LC_MESSAGES/messages.po and zh_Hans_CN/LC_MESSAGES/messages.po * Security two factor authentication feature * supporting two factor authentication: * Support Mail, SMS, or Google Authenticator second factor authentication. * Ability to change second factor authentication to existing users * Provide rescue mail in case of lost phone * update docs with two factor authentication changes * updating requirements, authors * adding two_factor test * improving tests coverage * fix double import and unused import, revert get_user * fix missing setup.py install_requires * fix TestMail (remove __init_) * formatting * more formatting * too many blank lines * formatting forms.py * signals line length * twofactor formatting * utils formatting * update twilio client import * missing import * blueprint line length (twofactor) * line too long/import/authors inadv. deleted * conftest.py allow nulls in sqlalchemy * Spelling, Update Functions and Tests Python 3.7 Support request.json->request.get_json update tests to use hash_password pep8 compliance Update dependencies for tests move from pyenchant to msgcheck * Update docs/configuration.rst Co-Authored-By: malware-watch <[email protected]> * consistent two-factor * .gitignore .venv/ * fixes. passlib.totp, if not request.is_json * translation stubs for new messages * Make two-factor login more JSON friendly * feature - merge in two factor auth. These changes are mostly docs and cleanup. * remove pyqrcode, onetimepass from install requires check imports if TWO_FACTOR is True * Minor doc fixes. Increase sizes of examples for 2FA phone and secret. * whitespace * feature - merge in two factor auth. These changes are mostly docs and cleanup. * Fix formatting.
|
what's going on here? |
|
Project is pretty much abandoned. An updated fork is here: https://github.com/jwag956/flask-security. |
Luckily. i read the pull requests and found this comment. Else i will be stuck on old. :D |
Although OWASP still recommends that reset password and confirmation links have the no-referrer header option set - this causes issues with HTTPS and Flask-WTF that requires a referrer header. Also - for the past 5 years, the browser default for Referrer-Policy is 'strict-origin-when-cross-origin' which should be enough to mitigate any possible Referrer leakage. closes pallets-eco#829
Rebased #773 and #522
This PR solves: #496
Much of the CI Failures were due to formatting issues. Also contains the following:
Updated release.py to accommodate Python 3 versions (prevented CI tests from passing.)
Added Python 3.7 to the CI tests
Updated requirements due to a conflict in Werkzeug and Flask. (See Unable to send POST request using Flask test client pallets/flask#3148)