Begin to phase in custom authentication
This commit is contained in:
parent
2fb8c91415
commit
aea92f9d85
6 changed files with 102 additions and 8 deletions
10
README.md
10
README.md
|
@ -185,15 +185,17 @@ Don’t forget to point AUTH_USER_MODEL to it. Do this before creating any migra
|
||||||
- [x] OTPSerializer: allow to read seed for admin
|
- [x] OTPSerializer: allow to read seed for admin
|
||||||
- [x] Implement deleting entry
|
- [x] Implement deleting entry
|
||||||
- [x] Include verify in ModelSerializer
|
- [x] Include verify in ModelSerializer
|
||||||
- [ ] Remove hard coded JSON (?)
|
- [x] Maybe we map name+realm == User (?)
|
||||||
- [ ] Use Custom authentication (?) - needs to have a user
|
|
||||||
- [ ] Maybe we map name+realm == User (?)
|
|
||||||
- name == name@realm
|
- name == name@realm
|
||||||
- no password
|
- password is used for admin login (?)
|
||||||
- seed
|
- seed
|
||||||
- custom auth method
|
- custom auth method
|
||||||
|
- [ ] try to fake username for django based on name+realm (?)
|
||||||
|
- [ ] maybe overwrite get_username() (?)
|
||||||
|
- [ ] Use Custom authentication (?) - needs to have a user
|
||||||
- [ ] Implement creating new "User"
|
- [ ] Implement creating new "User"
|
||||||
- by POST / Model based
|
- by POST / Model based
|
||||||
- [ ] move totp constants into settings
|
- [ ] move totp constants into settings
|
||||||
- [ ] move field lengths into settings
|
- [ ] move field lengths into settings
|
||||||
- [ ] make settings adjustable by environment (?)
|
- [ ] make settings adjustable by environment (?)
|
||||||
|
- [ ] Remove hard coded JSON (?)
|
||||||
|
|
|
@ -5,10 +5,8 @@ from django.contrib import admin
|
||||||
from django.contrib.auth.admin import UserAdmin
|
from django.contrib.auth.admin import UserAdmin
|
||||||
from .models import OTPSeed
|
from .models import OTPSeed
|
||||||
|
|
||||||
#admin.site.register(OTPSeed)
|
|
||||||
|
|
||||||
|
|
||||||
from django.contrib import admin
|
from django.contrib import admin
|
||||||
from django.contrib.auth.admin import UserAdmin
|
from django.contrib.auth.admin import UserAdmin
|
||||||
|
|
||||||
admin.site.register(OTPSeed, UserAdmin)
|
# admin.site.register(OTPSeed, UserAdmin)
|
||||||
|
admin.site.register(OTPSeed)
|
||||||
|
|
46
ungleichotp/otpauth/migrations/0001_initial.py
Normal file
46
ungleichotp/otpauth/migrations/0001_initial.py
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
# Generated by Django 2.1.3 on 2018-11-17 22:01
|
||||||
|
|
||||||
|
import django.contrib.auth.models
|
||||||
|
import django.contrib.auth.validators
|
||||||
|
from django.db import migrations, models
|
||||||
|
import django.utils.timezone
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
initial = True
|
||||||
|
|
||||||
|
dependencies = [
|
||||||
|
('auth', '0009_alter_user_last_name_max_length'),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.CreateModel(
|
||||||
|
name='OTPSeed',
|
||||||
|
fields=[
|
||||||
|
('password', models.CharField(max_length=128, verbose_name='password')),
|
||||||
|
('last_login', models.DateTimeField(blank=True, null=True, verbose_name='last login')),
|
||||||
|
('is_superuser', models.BooleanField(default=False, help_text='Designates that this user has all permissions without explicitly assigning them.', verbose_name='superuser status')),
|
||||||
|
('username', models.CharField(error_messages={'unique': 'A user with that username already exists.'}, help_text='Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.', max_length=150, unique=True, validators=[django.contrib.auth.validators.UnicodeUsernameValidator()], verbose_name='username')),
|
||||||
|
('first_name', models.CharField(blank=True, max_length=30, verbose_name='first name')),
|
||||||
|
('last_name', models.CharField(blank=True, max_length=150, verbose_name='last name')),
|
||||||
|
('email', models.EmailField(blank=True, max_length=254, verbose_name='email address')),
|
||||||
|
('is_staff', models.BooleanField(default=False, help_text='Designates whether the user can log into this admin site.', verbose_name='staff status')),
|
||||||
|
('is_active', models.BooleanField(default=True, help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.', verbose_name='active')),
|
||||||
|
('date_joined', models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined')),
|
||||||
|
('id', models.AutoField(primary_key=True, serialize=False)),
|
||||||
|
('name', models.CharField(max_length=128)),
|
||||||
|
('realm', models.CharField(max_length=128)),
|
||||||
|
('seed', models.CharField(max_length=128)),
|
||||||
|
('groups', models.ManyToManyField(blank=True, help_text='The groups this user belongs to. A user will get all permissions granted to each of their groups.', related_name='user_set', related_query_name='user', to='auth.Group', verbose_name='groups')),
|
||||||
|
('user_permissions', models.ManyToManyField(blank=True, help_text='Specific permissions for this user.', related_name='user_set', related_query_name='user', to='auth.Permission', verbose_name='user permissions')),
|
||||||
|
],
|
||||||
|
managers=[
|
||||||
|
('objects', django.contrib.auth.models.UserManager()),
|
||||||
|
],
|
||||||
|
),
|
||||||
|
migrations.AlterUniqueTogether(
|
||||||
|
name='otpseed',
|
||||||
|
unique_together={('name', 'realm')},
|
||||||
|
),
|
||||||
|
]
|
0
ungleichotp/otpauth/migrations/__init__.py
Normal file
0
ungleichotp/otpauth/migrations/__init__.py
Normal file
|
@ -55,3 +55,27 @@ class VerifySerializer(serializers.Serializer):
|
||||||
|
|
||||||
print("All verified!")
|
print("All verified!")
|
||||||
return verifyinstance
|
return verifyinstance
|
||||||
|
|
||||||
|
|
||||||
|
class TokenSerializer(serializers.Serializer):
|
||||||
|
name = serializers.CharField(max_length=128)
|
||||||
|
token = serializers.CharField(max_length=128)
|
||||||
|
realm = serializers.CharField(max_length=128)
|
||||||
|
|
||||||
|
def save(self):
|
||||||
|
token_in = self.validated_data.get('token')
|
||||||
|
name_in = self.validated_data.get('name')
|
||||||
|
realm_in = self.validated_data.get('realm')
|
||||||
|
|
||||||
|
# 1. Verify that the connection might authenticate
|
||||||
|
try:
|
||||||
|
db_instance = otpauth.models.OTPSeed.objects.get(name=name_in, realm=realm_in)
|
||||||
|
except (OTPSeed.MultipleObjectsReturned, OTPSeed.DoesNotExist):
|
||||||
|
raise exceptions.AuthenticationFailed()
|
||||||
|
|
||||||
|
totp = pyotp.TOTP(db_instance.seed)
|
||||||
|
|
||||||
|
if not totp.verify(token_in, valid_window=3):
|
||||||
|
raise exceptions.AuthenticationFailed()
|
||||||
|
|
||||||
|
return db_instance
|
||||||
|
|
|
@ -102,6 +102,30 @@ AUTH_PASSWORD_VALIDATORS = [
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
from rest_framework import exceptions
|
||||||
|
from rest_framework import authentication
|
||||||
|
from otpauth import OTPSeed
|
||||||
|
from otpauth.serializer import TokenSerializer
|
||||||
|
|
||||||
|
class OTPAuthentication(authentication.BaseAuthentication):
|
||||||
|
def authenticate(self, request):
|
||||||
|
serializer = TokenSerializer(data=request.data)
|
||||||
|
|
||||||
|
if serializer.is_valid():
|
||||||
|
print("trying to save... {}".format(serializer))
|
||||||
|
user = serializer.save()
|
||||||
|
else:
|
||||||
|
raise exceptions.AuthenticationFailed()
|
||||||
|
|
||||||
|
return (user, None)
|
||||||
|
|
||||||
|
REST_FRAMEWORK = {
|
||||||
|
'DEFAULT_AUTHENTICATION_CLASSES': (
|
||||||
|
'OTPAuthentication'
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# Internationalization
|
# Internationalization
|
||||||
# https://docs.djangoproject.com/en/2.1/topics/i18n/
|
# https://docs.djangoproject.com/en/2.1/topics/i18n/
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue