v3.0 is released

CHANGELOG.md

@@ -1,5 +1,23 @@
 # Change Log
 
+## 3.0
+
+This is a major cleanup and CSS adjustments so please test before deployment.
+
+* Updated to fido2==1.1.3
+* Removed: CBOR and exchange is done in JSON now.
+* Removed: `simplejson` package from dependencies.
+* Email OTP is always 6 numbers.
+* Better support for bootstrap 4 and 5.
+* Added: the following settings
+  * `MFA_FIDO2_RESIDENT_KEY`: Defaults to `Discouraged` which was the old behaviour
+  * `MFA_FIDO2_AUTHENTICATOR_ATTACHMENT`: If you like to have a PLATFORM Authenticator, Defaults to NONE
+  * `MFA_FIDO2_USER_VERIFICATION`:  If you need User Verification
+  * `MFA_FIDO2_ATTESTATION_PREFERENCE`: If you like to have an Attention
+  * `MFA_ENFORCE_EMAIL_TOKEN`: if you want the user to receive OTP by email without enrolling, if this the case, the system admins shall make sure that emails are valid.
+  * `MFA_SHOW_OTP_IN_EMAIL_SUBJECT`: If you like to show the OTP in the email subject
+  * `MFA_OTP_EMAIL_SUBJECT`: The subject of the email after the token allows placeholder '%s' for otp
+
 ## 2.9.0
 * Add: Set black as code formatter
 * Add: Add Pyre as a type checker
@@ -14,6 +32,7 @@
 * Fixed #70
 * Add QR Code for trusted device link
 * Better formatting for trusted device start page.
+
 ## 2.6.1
 * Fix: CVE-2022-42731: related to the possibility of registration replay attack.
   Thanks to 'SSE (Secure Systems Engineering)'

README.md

@@ -80,6 +80,7 @@ Depends on
 
    ```python
    from django.conf.global_settings import PASSWORD_HASHERS as DEFAULT_PASSWORD_HASHERS #Preferably at the same place where you import your other modules
+
    MFA_UNALLOWED_METHODS=()   # Methods that shouldn't be allowed for the user e.g ('TOTP','U2F',)
    MFA_LOGIN_CALLBACK=""      # A function that should be called by username to login the user in session
    MFA_RECHECK=True           # Allow random rechecking of the user
@@ -91,7 +92,7 @@ Depends on
    MFA_ALWAYS_GO_TO_LAST_METHOD = False # Always redirect the user to the last method used to save a click (Added in 2.6.0).
    MFA_RENAME_METHODS={} #Rename the methods in a more user-friendly way e.g {"RECOVERY":"Backup Codes"} (Added in 2.6.0)
    MFA_HIDE_DISABLE=('FIDO2',)     # Can the user disable his key (Added in 1.2.0).
-   MFA_OWNED_BY_ENTERPRISE = FALSE  # Who owns security keys   
+   MFA_OWNED_BY_ENTERPRISE = False   # Who owns security keys   
    PASSWORD_HASHERS = DEFAULT_PASSWORD_HASHERS # Comment if PASSWORD_HASHER already set in your settings.py
    PASSWORD_HASHERS += ['mfa.recovery.Hash'] 
    RECOVERY_ITERATION = 350000 #Number of iteration for recovery code, higher is more secure, but uses more resources for generation and check...
@@ -101,6 +102,16 @@ Depends on
    U2F_APPID="https://localhost"    #URL For U2F
    FIDO_SERVER_ID=u"localehost"      # Server rp id for FIDO2, it is the full domain of your project
    FIDO_SERVER_NAME=u"PROJECT_NAME"
+
+   import mfa
+   MFA_FIDO2_RESIDENT_KEY = mfa.ResidentKey.DISCOURAGED  # Resident Key allows a special User Handle
+   MFA_FIDO2_AUTHENTICATOR_ATTACHMENT = None  # Let the user choose
+   MFA_FIDO2_USER_VERIFICATION = None         # Verify User Presence
+   MFA_FIDO2_ATTESTATION_PREFERENCE = mfa.AttestationPreference.NONE
+
+   MFA_ENFORCE_EMAIL_TOKEN = False          # If you want the user to receive OTP by email without enrolling, if this the case, the system admins shall make sure that emails are valid.
+   MFA_SHOW_OTP_IN_EMAIL_SUBJECT = False    #If you like to show the OTP in the email subject
+   MFA_OTP_EMAIL_SUBJECT= "OTP"       # The subject of the email after the token
    ```
    **Method Names**
    * U2F
@@ -115,8 +126,11 @@ Depends on
     * Starting version 1.7.0, Key owners can be specified.
     * Starting version 2.2.0
         * Added: `MFA_SUCCESS_REGISTRATION_MSG` & `MFA_REDIRECT_AFTER_REGISTRATION`
-    Start version 2.6.0
+    * Starting version 2.6.0
         * Added: `MFA_ALWAYS_GO_TO_LAST_METHOD`, `MFA_RENAME_METHODS`, `MFA_ENFORCE_RECOVERY_METHOD` & `RECOVERY_ITERATION`
+    * Starting version 3.0
+        * Added: `MFA_FIDO2_RESIDENT_KEY`, `MFA_FIDO2_AUTHENTICATOR_ATTACHMENT`, `MFA_FIDO2_USER_VERIFICATION`, `MFA_FIDO2_ATTESTATION_PREFERENCE`
+        * Added: `MFA_ENFORCE_EMAIL_TOKEN`, `MFA_SHOW_OTP_IN_EMAIL_SUBJECT`, `MFA_OTP_EMAIL_SUBJECT`
 4. Break your login function
 
    Usually your login function will check for username and password, log the user in if the username and password are correct and create the user session, to support mfa, this has to change

example/example/settings.py

@@ -13,6 +13,8 @@
 import os
 from django.conf.global_settings import PASSWORD_HASHERS as DEFAULT_PASSWORD_HASHERS
 
+import mfa
+
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
@@ -149,6 +151,17 @@
 PASSWORD_HASHERS += ["mfa.recovery.Hash"]
 RECOVERY_ITERATION = 1  # Number of iteration for recovery code, higher is more secure, but uses more resources for generation and check...
 TOKEN_ISSUER_NAME = "PROJECT_NAME"  # TOTP Issuer name
+MFA_FIDO2_RESIDENT_KEY = (
+    mfa.ResidentKey.REQUIRED
+)  # Resident Key allows a special User Handle
+MFA_FIDO2_AUTHENTICATOR_ATTACHMENT = None  # Let the user choose
+MFA_FIDO2_USER_VERIFICATION = None  # Verify User Presence
+MFA_FIDO2_ATTESTATION_PREFERENCE = mfa.AttestationPreference.NONE
+MFA_RENAME_METHODS = {"RECOVERY": "Backup Codes", "FIDO2": "Biometric Authentication"}
+PASSWORD_HASHERS = DEFAULT_PASSWORD_HASHERS  # Comment if PASSWORD_HASHER already set
+PASSWORD_HASHERS += ["mfa.recovery.Hash"]
+RECOVERY_ITERATION = 1  # Number of iteration for recovery code, higher is more secure, but uses more resources for generation and check...
+TOKEN_ISSUER_NAME = "PROJECT_NAME"  # TOTP Issuer name
 
 U2F_APPID = "https://localhost:9000"  # URL For U2F
 FIDO_SERVER_ID = (

example/example/templates/base.html

@@ -15,11 +15,8 @@
   <!-- Custom fonts for this template-->
   <link href="{% static 'vendor/fontawesome-free/css/all.min.css'%}" rel="stylesheet" type="text/css">
 
-  <!-- Page level plugin CSS-->
-  <link href="{% static 'vendor/datatables/dataTables.bootstrap4.css'%}" rel="stylesheet">
-
   <!-- Custom styles for this template-->
-  <link href="{% static 'css/sb-admin.css'%}" rel="stylesheet">
+  <link href="{% static 'css/sb-admin.min.css'%}" rel="stylesheet">
     <script src="{% static 'vendor/jquery/jquery.min.js'%}"></script>
 
 </head>

example/example/templates/login.html

@@ -16,7 +16,7 @@
   <link href="{% static  'vendor/fontawesome-free/css/all.min.css'%}" rel="stylesheet" type="text/css">
 
   <!-- Custom styles for this template-->
-  <link href="{% static 'css/sb-admin.css'%}" rel="stylesheet">
+  <link href="{% static 'css/sb-admin.min.css'%}" rel="stylesheet">
 
 </head>
 
@@ -29,11 +29,11 @@
           {% if invalid %}
               <div class="alert alert-danger">Invalid Username or password</div>
           {% endif %}
-        <form action="{% url 'login' %}" method="post">
+        <form action="{% url 'login' %}" method="post" id="loginForm">
             {% csrf_token %}
           <div class="form-group">
-            <div class="form-label-group">
-              <input type="text" id="inputUsername" name="username" class="form-control" placeholder="username" required="required" autofocus="autofocus">
+           <div class="form-label-group">
+              <input type="text" id="inputUsername" name="username" class="form-control" placeholder="username" autocomplete="username webauthn"  autofocus="autofocus">
               <label for="inputUsername">Username</label>
             </div>
           </div>
@@ -44,7 +44,9 @@
             </div>
           </div>
 
-          <button class="btn btn-primary btn-block" type="submit">Login</button>
+          <button class="btn btn-primary btn-block" type="submit">Login</button><br/>
+
+            <button class="btn btn-primary btn-block" type="button" onclick="authen()">Login By Security Key</button>
         </form>
       </div>
     </div>
@@ -56,7 +58,10 @@
 
   <!-- Core plugin JavaScript-->
   <script src="{% static 'vendor/jquery-easing/jquery.easing.min.js'%}"></script>
-
+    {% include 'FIDO2/Auth_JS.html'%}
+<script type="text/javascript">
+    window.onload = checkConditionalUI('loginForm')
+</script>
 </body>
 
 </html>

example/example/templates/mfa_auth_base.html

@@ -16,7 +16,7 @@
   <link href="{% static  'vendor/fontawesome-free/css/all.min.css'%}" rel="stylesheet" type="text/css">
 
   <!-- Custom styles for this template-->
-  <link href="{% static 'css/sb-admin.css'%}" rel="stylesheet">
+  <link href="{% static 'css/sb-admin.min.css'%}" rel="stylesheet">
 <script src="{% static 'vendor/jquery/jquery.min.js'%}"></script>
 
 </head>