Add 2FA using allauth

Most of the work here is templating and ensuring the settings are
correct. There's no 2FA mandate and this doesn't enable
webauthn/passkeys for now, strictly TOTP and recovery codes.

Author: davidfischer

.coveragerc

@@ -18,7 +18,12 @@ omit =
 
     */migrations/*.py
     templates/admin/*.html
-    templates/account/*.html
+
+    # Skip allauth templates
+    templates/allauth/*
+    templates/account/*
+    templates/mfa/*
+
     templates/includes/*.html
     adserver/templatetags/metabase.py
     adserver/regiontopics.py # Just data/constants

adserver/templates/adserver/base.html

@@ -42,6 +42,10 @@
               <span class="fa fa-key fa-fw mr-2 text-muted" aria-hidden="true"></span>
               <span>{% trans 'Change password' %}</span>
             </a>
+            <a class="dropdown-item" href="{% url 'mfa_index' %}">
+              <span class="fa fa-unlock-alt fa-fw mr-2 text-muted" aria-hidden="true"></span>
+              <span>{% trans 'MFA' %}</span>
+            </a>
             <div class="dropdown-divider"></div>
             <a class="dropdown-item" href="{% url 'support' %}">
               <span class="fa fa-envelope fa-fw mr-2 text-muted" aria-hidden="true"></span>

config/settings/base.py

@@ -70,7 +70,7 @@
     "django.contrib.humanize",
     "allauth",
     "allauth.account",
-    "allauth.socialaccount",
+    "allauth.mfa",
     "crispy_forms",
     "crispy_bootstrap4",
     "rest_framework",
@@ -382,14 +382,18 @@
 
 
 # Django allauth
-# https://django-allauth.readthedocs.io
+# https://docs.allauth.org
+# https://docs.allauth.org/en/latest/account/advanced.html#custom-user-models
+# https://docs.allauth.org/en/latest/mfa/introduction.html
 # --------------------------------------------------------------------------
 ACCOUNT_ADAPTER = "adserver.auth.adapters.AdServerAccountAdapter"
 ACCOUNT_USER_MODEL_USERNAME_FIELD = None
 ACCOUNT_EMAIL_REQUIRED = True
 ACCOUNT_USERNAME_REQUIRED = False
-ACCOUNT_AUTHENTICATION_METHOD = "email"
 ACCOUNT_LOGIN_ON_PASSWORD_RESET = True
+ACCOUNT_MAX_EMAIL_ADDRESSES = 1
+ACCOUNT_LOGIN_METHODS = {"email"}
+
 
 # Celery settings for asynchronous tasks
 # http://docs.celeryproject.org/en/latest/userguide/configuration.html

config/settings/production.py

@@ -89,7 +89,6 @@
     if not socket.gethostname().startswith("ethicalads-extra"):
         ENFORCE_HOST = env("ENFORCE_HOST", default=None)
 
-
 # Email settings
 # See: https://anymail.readthedocs.io
 # --------------------------------------------------------------------------

config/urls.py

@@ -6,6 +6,7 @@
 from django.urls import include
 from django.urls import path
 from django.views import defaults as default_views
+from django.views.generic import RedirectView
 
 
 urlpatterns = []
@@ -56,6 +57,12 @@
     ]
 
 urlpatterns += [
+    # Allauth overrides
+    # Disable managing emails for now
+    path(
+        r"accounts/email/",
+        RedirectView.as_view(pattern_name="dashboard-home", permanent=False),
+    ),
     path(r"accounts/", include("allauth.urls")),
     path(r"stripe/", include("djstripe.urls", namespace="djstripe")),
     path(r"", include("adserver.urls")),

requirements/base.in

@@ -24,7 +24,7 @@ crispy-bootstrap4
 django-crispy-forms
 
 # Authentication
-django-allauth
+django-allauth[mfa]
 
 # Reading Django settings environment variables
 django-environ

requirements/base.txt

@@ -63,7 +63,7 @@ django==5.0.12
     #   django-slack
     #   djangorestframework
     #   jsonfield
-django-allauth==65.4.1
+django-allauth[mfa]==65.4.1
     # via -r base.in
 django-cors-headers==4.7.0
     # via -r base.in

requirements/development.txt

@@ -96,7 +96,7 @@ django==5.0.12
     #   django-slack
     #   djangorestframework
     #   jsonfield
-django-allauth==65.4.1
+django-allauth[mfa]==65.4.1
     # via -r /home/david/ReadTheDocs/ethical-ad-server/requirements/base.in
 django-cors-headers==4.7.0
     # via -r /home/david/ReadTheDocs/ethical-ad-server/requirements/base.in

requirements/production.txt

@@ -78,7 +78,7 @@ django==5.0.12
     #   django-storages
     #   djangorestframework
     #   jsonfield
-django-allauth==65.4.1
+django-allauth[mfa]==65.4.1
     # via -r /home/david/ReadTheDocs/ethical-ad-server/requirements/base.in
 django-anymail==12.0
     # via -r production.in

templates/account/base_reauthenticate.html

@@ -0,0 +1,27 @@
+{% extends "account/base_entrance.html" %}
+
+{# https://github.com/pennersr/django-allauth/blob/main/allauth/templates/account/base_reauthenticate.html #}
+
+
+{% load allauth %}
+{% load i18n %}
+
+
+{% block title %}{% trans 'Confirm Access' %}{% endblock title %}
+
+
+{% block content %}
+
+  {% block reauthenticate_content %}
+  {% endblock reauthenticate_content %}
+
+  {% if reauthentication_alternatives %}
+    <hr>
+
+    <h3>{% translate "Alternative options" %}</h3>
+
+    {% for alt in reauthentication_alternatives %}
+      <a href="{{ alt.url }}">{{ alt.description }}</a>
+    {% endfor %}
+  {% endif %}
+{% endblock content %}