Begin to phase in custom authentication

README.md

@@ -185,15 +185,17 @@ Don’t forget to point AUTH_USER_MODEL to it. Do this before creating any migra
 - [x] OTPSerializer: allow to read seed for admin
 - [x] Implement deleting entry
 - [x] Include verify in ModelSerializer
-- [ ] Remove hard coded JSON (?)
-- [ ] Use Custom authentication (?) - needs to have a user
-- [ ] Maybe we map name+realm == User (?)
+- [x] Maybe we map name+realm == User (?)
   - name == name@realm
-  - no password
+  - password is used for admin login (?)
   - seed
   - custom auth method
+- [ ] try to fake username for django based on name+realm (?)
+- [ ] maybe overwrite get_username() (?)
+- [ ] Use Custom authentication (?) - needs to have a user
 - [ ] Implement creating new "User"
   - by POST / Model based
 - [ ] move totp constants into settings
 - [ ] move field lengths into settings
 - [ ] make settings adjustable by environment (?)
+- [ ] Remove hard coded JSON (?)

ungleichotp/otpauth/admin.py

@@ -5,10 +5,8 @@ from django.contrib import admin
 from django.contrib.auth.admin import UserAdmin
 from .models import OTPSeed
 
-#admin.site.register(OTPSeed)
-
-
 from django.contrib import admin
 from django.contrib.auth.admin import UserAdmin
 
-admin.site.register(OTPSeed, UserAdmin)
+# admin.site.register(OTPSeed, UserAdmin)
+admin.site.register(OTPSeed)

ungleichotp/otpauth/migrations/0001_initial.py

@@ -0,0 +1,46 @@
+# Generated by Django 2.1.3 on 2018-11-17 22:01
+
+import django.contrib.auth.models
+import django.contrib.auth.validators
+from django.db import migrations, models
+import django.utils.timezone
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('auth', '0009_alter_user_last_name_max_length'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='OTPSeed',
+            fields=[
+                ('password', models.CharField(max_length=128, verbose_name='password')),
+                ('last_login', models.DateTimeField(blank=True, null=True, verbose_name='last login')),
+                ('is_superuser', models.BooleanField(default=False, help_text='Designates that this user has all permissions without explicitly assigning them.', verbose_name='superuser status')),
+                ('username', models.CharField(error_messages={'unique': 'A user with that username already exists.'}, help_text='Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.', max_length=150, unique=True, validators=[django.contrib.auth.validators.UnicodeUsernameValidator()], verbose_name='username')),
+                ('first_name', models.CharField(blank=True, max_length=30, verbose_name='first name')),
+                ('last_name', models.CharField(blank=True, max_length=150, verbose_name='last name')),
+                ('email', models.EmailField(blank=True, max_length=254, verbose_name='email address')),
+                ('is_staff', models.BooleanField(default=False, help_text='Designates whether the user can log into this admin site.', verbose_name='staff status')),
+                ('is_active', models.BooleanField(default=True, help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.', verbose_name='active')),
+                ('date_joined', models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined')),
+                ('id', models.AutoField(primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128)),
+                ('realm', models.CharField(max_length=128)),
+                ('seed', models.CharField(max_length=128)),
+                ('groups', models.ManyToManyField(blank=True, help_text='The groups this user belongs to. A user will get all permissions granted to each of their groups.', related_name='user_set', related_query_name='user', to='auth.Group', verbose_name='groups')),
+                ('user_permissions', models.ManyToManyField(blank=True, help_text='Specific permissions for this user.', related_name='user_set', related_query_name='user', to='auth.Permission', verbose_name='user permissions')),
+            ],
+            managers=[
+                ('objects', django.contrib.auth.models.UserManager()),
+            ],
+        ),
+        migrations.AlterUniqueTogether(
+            name='otpseed',
+            unique_together={('name', 'realm')},
+        ),
+    ]

ungleichotp/otpauth/serializer.py

@@ -55,3 +55,27 @@ class VerifySerializer(serializers.Serializer):
 
         print("All verified!")
         return verifyinstance
+
+
+class TokenSerializer(serializers.Serializer):
+    name = serializers.CharField(max_length=128)
+    token = serializers.CharField(max_length=128)
+    realm = serializers.CharField(max_length=128)
+
+    def save(self):
+        token_in = self.validated_data.get('token')
+        name_in =  self.validated_data.get('name')
+        realm_in =  self.validated_data.get('realm')
+
+        # 1. Verify that the connection might authenticate
+        try:
+            db_instance = otpauth.models.OTPSeed.objects.get(name=name_in, realm=realm_in)
+        except (OTPSeed.MultipleObjectsReturned, OTPSeed.DoesNotExist):
+            raise exceptions.AuthenticationFailed()
+
+        totp = pyotp.TOTP(db_instance.seed)
+
+        if not totp.verify(token_in, valid_window=3):
+            raise exceptions.AuthenticationFailed()
+
+        return db_instance

ungleichotp/ungleichotp/settings.py

@@ -102,6 +102,30 @@ AUTH_PASSWORD_VALIDATORS = [
 ]
 
 
+from rest_framework import exceptions
+from rest_framework import authentication
+from otpauth import OTPSeed
+from otpauth.serializer import TokenSerializer
+
+class OTPAuthentication(authentication.BaseAuthentication):
+    def authenticate(self, request):
+        serializer = TokenSerializer(data=request.data)
+
+        if serializer.is_valid():
+            print("trying to save... {}".format(serializer))
+            user = serializer.save()
+        else:
+            raise exceptions.AuthenticationFailed()
+
+        return (user, None)
+
+REST_FRAMEWORK = {
+    'DEFAULT_AUTHENTICATION_CLASSES': (
+        'OTPAuthentication'
+    )
+}
+
+
 # Internationalization
 # https://docs.djangoproject.com/en/2.1/topics/i18n/