Add 2FA using allauth

Most of the work here is templating and ensuring the settings are
correct. There's no 2FA mandate and this doesn't enable
webauthn/passkeys for now, strictly TOTP and recovery codes.

Author: davidfischer

.coveragerc

@@ -18,7 +18,12 @@ omit =
 
     */migrations/*.py
     templates/admin/*.html
-    templates/account/*.html
+
+    # Skip allauth templates
+    templates/allauth/*
+    templates/account/*
+    templates/mfa/*
+
     templates/includes/*.html
     adserver/templatetags/metabase.py
     adserver/regiontopics.py # Just data/constants

adserver/templates/adserver/base.html

@@ -42,6 +42,10 @@
               <span class="fa fa-key fa-fw mr-2 text-muted" aria-hidden="true"></span>
               <span>{% trans 'Change password' %}</span>
             </a>
+            <a class="dropdown-item" href="{% url 'mfa_index' %}">
+              <span class="fa fa-unlock-alt fa-fw mr-2 text-muted" aria-hidden="true"></span>
+              <span>{% trans 'MFA' %}</span>
+            </a>
             <div class="dropdown-divider"></div>
             <a class="dropdown-item" href="{% url 'support' %}">
               <span class="fa fa-envelope fa-fw mr-2 text-muted" aria-hidden="true"></span>

config/settings/base.py

@@ -70,7 +70,7 @@
     "django.contrib.humanize",
     "allauth",
     "allauth.account",
-    "allauth.socialaccount",
+    "allauth.mfa",
     "crispy_forms",
     "crispy_bootstrap4",
     "rest_framework",
@@ -382,14 +382,18 @@
 
 
 # Django allauth
-# https://django-allauth.readthedocs.io
+# https://docs.allauth.org
+# https://docs.allauth.org/en/latest/account/advanced.html#custom-user-models
+# https://docs.allauth.org/en/latest/mfa/introduction.html
 # --------------------------------------------------------------------------
 ACCOUNT_ADAPTER = "adserver.auth.adapters.AdServerAccountAdapter"
 ACCOUNT_USER_MODEL_USERNAME_FIELD = None
 ACCOUNT_EMAIL_REQUIRED = True
 ACCOUNT_USERNAME_REQUIRED = False
-ACCOUNT_AUTHENTICATION_METHOD = "email"
 ACCOUNT_LOGIN_ON_PASSWORD_RESET = True
+ACCOUNT_MAX_EMAIL_ADDRESSES = 1
+ACCOUNT_LOGIN_METHODS = {"email"}
+
 
 # Celery settings for asynchronous tasks
 # http://docs.celeryproject.org/en/latest/userguide/configuration.html

config/settings/production.py

@@ -89,7 +89,6 @@
     if not socket.gethostname().startswith("ethicalads-extra"):
         ENFORCE_HOST = env("ENFORCE_HOST", default=None)
 
-
 # Email settings
 # See: https://anymail.readthedocs.io
 # --------------------------------------------------------------------------

config/urls.py

@@ -6,6 +6,7 @@
 from django.urls import include
 from django.urls import path
 from django.views import defaults as default_views
+from django.views.generic import RedirectView
 
 
 urlpatterns = []
@@ -56,6 +57,12 @@
     ]
 
 urlpatterns += [
+    # Allauth overrides
+    # Disable managing emails for now
+    path(
+        r"accounts/email/",
+        RedirectView.as_view(pattern_name="dashboard-home", permanent=False),
+    ),
     path(r"accounts/", include("allauth.urls")),
     path(r"stripe/", include("djstripe.urls", namespace="djstripe")),
     path(r"", include("adserver.urls")),

requirements/base.in

@@ -24,7 +24,7 @@ crispy-bootstrap4
 django-crispy-forms
 
 # Authentication
-django-allauth
+django-allauth[mfa]
 
 # Reading Django settings environment variables
 django-environ

requirements/base.txt

@@ -63,7 +63,7 @@ django==5.0.12
     #   django-slack
     #   djangorestframework
     #   jsonfield
-django-allauth==65.4.1
+django-allauth[mfa]==65.4.1
     # via -r base.in
 django-cors-headers==4.7.0
     # via -r base.in

requirements/development.txt

@@ -96,7 +96,7 @@ django==5.0.12
     #   django-slack
     #   djangorestframework
     #   jsonfield
-django-allauth==65.4.1
+django-allauth[mfa]==65.4.1
     # via -r /home/david/ReadTheDocs/ethical-ad-server/requirements/base.in
 django-cors-headers==4.7.0
     # via -r /home/david/ReadTheDocs/ethical-ad-server/requirements/base.in

requirements/production.txt

@@ -78,7 +78,7 @@ django==5.0.12
     #   django-storages
     #   djangorestframework
     #   jsonfield
-django-allauth==65.4.1
+django-allauth[mfa]==65.4.1
     # via -r /home/david/ReadTheDocs/ethical-ad-server/requirements/base.in
 django-anymail==12.0
     # via -r production.in

templates/account/base_reauthenticate.html

@@ -0,0 +1,27 @@
+{% extends "account/base_entrance.html" %}
+
+{# https://github.com/pennersr/django-allauth/blob/main/allauth/templates/account/base_reauthenticate.html #}
+
+
+{% load allauth %}
+{% load i18n %}
+
+
+{% block title %}{% trans 'Confirm Access' %}{% endblock title %}
+
+
+{% block content %}
+
+  {% block reauthenticate_content %}
+  {% endblock reauthenticate_content %}
+
+  {% if reauthentication_alternatives %}
+    <hr>
+
+    <h3>{% translate "Alternative options" %}</h3>
+
+    {% for alt in reauthentication_alternatives %}
+      <a href="{{ alt.url }}">{{ alt.description }}</a>
+    {% endfor %}
+  {% endif %}
+{% endblock content %}

templates/account/reauthenticate.html

@@ -0,0 +1,25 @@
+{% extends "account/base_reauthenticate.html" %}
+
+{# https://github.com/pennersr/django-allauth/blob/main/allauth/templates/account/reauthenticate.html #}
+
+{% load blocktrans trans from i18n %}
+{% load crispy from crispy_forms_tags %}
+
+
+{% block reauthenticate_content %}
+  <h1>{% trans 'Confirm Access' %}</h1>
+
+  <p>
+    {% blocktrans trimmed %}
+      Enter your account password to confirm access.
+    {% endblocktrans %}
+  </p>
+
+  {% url 'account_reauthenticate' as action_url %}
+  <form method="post" action="{{ action_url }}">
+    {% csrf_token %}
+    {{ form|crispy }}
+    {{ redirect_field }}
+    <input class="btn btn-primary" type="submit" value="{% trans 'Confirm ' %}">
+  </form>
+{% endblock reauthenticate_content %}

templates/allauth/layouts/base.html

@@ -0,0 +1,34 @@
+{% extends "adserver/dashboard.html" %}
+
+{# https://github.com/pennersr/django-allauth/blob/main/allauth/templates/allauth/layouts/base.html #}
+
+{% load i18n %}
+{% load static %}
+{% load humanize %}
+{% load crispy_forms_tags %}
+
+
+{% block title %}{% trans "Account" %}{% endblock %}
+
+
+{% block breadcrumbs %}
+<li class="breadcrumb-item">
+  <a href="{% url 'dashboard-home' %}">{% trans 'Home' %}</a>
+</li>
+<li class="breadcrumb-item active">{% trans 'Account' %}</li>
+{% endblock breadcrumbs %}
+
+
+{% block content_container %}
+
+<h1>{% block heading %}{% trans "Account" %}{% endblock heading %}</h1>
+
+<div class="row">
+  <div class="col col-md-8">
+
+    {% block content %}{% endblock content %}
+
+  </div>
+</div>
+
+{% endblock content_container %}

templates/allauth/layouts/entrance.html

@@ -0,0 +1,3 @@
+{% extends 'account/base.html' %}
+
+{# https://github.com/pennersr/django-allauth/blob/main/allauth/templates/allauth/layouts/entrance.html #}

templates/mfa/authenticate.html

@@ -0,0 +1,35 @@
+{% extends "mfa/base_entrance.html" %}
+
+{# https://github.com/pennersr/django-allauth/blob/main/allauth/templates/mfa/authenticate.html #}
+
+{% load blocktrans trans from i18n %}
+{% load crispy from crispy_forms_tags %}
+
+{% block title %}
+  {% trans "Verify sign in" %}
+{% endblock title %}
+
+{% block content %}
+
+  <h1 class="card-title">{% trans 'Verify sign in' %}</h1>
+
+  <p>
+    {% blocktrans trimmed %}
+      Your account is protected by two-factor authentication.
+      Enter a two-factor authentication code to verify this sign in.
+    {% endblocktrans %}
+  </p>
+
+  {% url 'mfa_authenticate' as action_url %}
+  <form method="post" action="{{ action_url }}">
+    {% csrf_token %}
+    {{ form|crispy }}
+    {{ redirect_field }}
+
+    <input type="submit" value="{% trans 'Verify' %}" class="btn btn-primary" />
+  </form>
+
+  {% if "webauthn" in MFA_SUPPORTED_TYPES %}
+    {# WebAuthn (Passkeys) will require additional work to support #}
+  {% endif %}
+{% endblock content %}

templates/mfa/base_manage.html

@@ -0,0 +1,35 @@
+{% extends "adserver/dashboard.html" %}
+
+{# https://github.com/pennersr/django-allauth/blob/main/allauth/templates/mfa/base_manage.html #}
+
+{% load i18n %}
+{% load static %}
+{% load humanize %}
+{% load crispy_forms_tags %}
+
+
+{% block title %}{% trans "MFA" %}{% endblock %}
+
+
+{% block breadcrumbs %}
+<li class="breadcrumb-item">
+  <a href="{% url 'dashboard-home' %}">{% trans 'Home' %}</a>
+</li>
+<li class="breadcrumb-item">
+  <a href="{% url 'account' %}">{% trans 'Account' %}</a>
+</li>
+<li class="breadcrumb-item active">{% trans 'MFA' %}</li>
+{% endblock breadcrumbs %}
+
+
+{% block content_container %}
+
+<div class="row">
+  <div class="col">
+
+    {% block content %}{% endblock content %}
+
+  </div>
+</div>
+
+{% endblock content_container %}

templates/mfa/index.html

@@ -0,0 +1,69 @@
+{% extends "mfa/base_manage.html" %}
+
+{# https://github.com/pennersr/django-allauth/blob/main/allauth/templates/mfa/index.html #}
+
+
+{% load allauth %}
+{% load i18n %}
+
+
+{% block content %}
+
+  <h1>{% block heading %}{% trans "MFA" %}{% endblock heading %}</h1>
+
+  <p>{% trans 'Configure or update your multi-factor authentication settings.' %}</p>
+
+
+  {% if "totp" in MFA_SUPPORTED_TYPES %}
+
+  <section class="my-5" id="mfa-totp">
+    <h3>{% trans "Authenticator App" %}</h3>
+
+    {% url 'mfa_deactivate_totp' as deactivate_url %}
+    {% url 'mfa_activate_totp' as activate_url %}
+
+    {% if authenticators.totp %}
+      <p>
+        {% blocktrans trimmed %}
+          Two-factor authentication using an authenticator app is enabled.
+        {% endblocktrans %}
+      </p>
+      <p class="mb-0"><a href="{{ deactivate_url }}" class="btn btn-sm btn-danger">{% trans 'Deactivate MFA' %}</a></p>
+      <p class="small text-muted">{% trans '(You will have a chance to confirm)' %}</p>
+    {% else %}
+      <p>
+        {% blocktrans trimmed %}
+          Two-factor authentication using an authenticator app is not enabled.
+        {% endblocktrans %}
+      </p>
+      <p><a href="{{ activate_url }}" class="btn btn-sm btn-outline-primary">{% trans 'Activate MFA' %}</a></p>
+    {% endif %}
+  </section>
+
+  {% endif %}
+
+  {% block mfa_webauthn %}
+    {% if "webauthn" in MFA_SUPPORTED_TYPES %}
+      {# TODO if we end up supporting webauthn/passkeys this in the future, this section will need ported #}
+    {% endif %}
+  {% endblock mfa_webauthn %}
+
+  {% block mfa_recovery %}
+    {% if is_mfa_enabled and "recovery_codes" in MFA_SUPPORTED_TYPES %}
+
+      <section class="my-5" id="mfa-codes">
+        <h3>{% translate "Recovery Codes" %}</h3>
+
+        <p>
+          {% blocktrans trimmed %}
+            Recovery codes are one-time use codes that can be used as backup two-factor authentication codes.
+          {% endblocktrans %}
+        </p>
+
+        {% url 'mfa_view_recovery_codes' as view_url %}
+        <a href="{{ view_url }}" class="btn btn-sm btn-outline-primary">{% trans "Manage recovery codes" %}</a>
+      </section>
+
+    {% endif %}
+  {% endblock mfa_recovery %}
+{% endblock content %}

templates/mfa/reauthenticate.html

@@ -0,0 +1,29 @@
+{% extends "account/base_reauthenticate.html" %}
+
+{# https://github.com/pennersr/django-allauth/blob/main/allauth/templates/mfa/reauthenticate.html #}
+
+
+{% load i18n %}
+{% load allauth %}
+{% load crispy from crispy_forms_tags %}
+
+
+{% block reauthenticate_content %}
+
+<h1>{% trans 'Confirm Access' %}</h1>
+
+  <p>
+    {% blocktrans trimmed %}
+      Enter a two-factor authentication code to confirm access.
+    {% endblocktrans %}
+  </p>
+
+  {% url 'mfa_reauthenticate' as action_url %}
+  <form method="post" action="{{ action_url }}">
+    {% csrf_token %}
+    {{ form|crispy }}
+    {{ redirect_field }}
+    <input type="submit" class="btn btn-primary" value="{% trans 'Confirm' %}">
+  </form>
+
+{% endblock %}