Begin to phase in custom authentication

This commit is contained in:
Nico Schottelius 2018-11-18 12:38:50 +01:00
parent 2fb8c91415
commit aea92f9d85
6 changed files with 102 additions and 8 deletions

View file

@ -185,15 +185,17 @@ Dont forget to point AUTH_USER_MODEL to it. Do this before creating any migra
- [x] OTPSerializer: allow to read seed for admin
- [x] Implement deleting entry
- [x] Include verify in ModelSerializer
- [ ] Remove hard coded JSON (?)
- [ ] Use Custom authentication (?) - needs to have a user
- [ ] Maybe we map name+realm == User (?)
- [x] Maybe we map name+realm == User (?)
- name == name@realm
- no password
- password is used for admin login (?)
- seed
- custom auth method
- [ ] try to fake username for django based on name+realm (?)
- [ ] maybe overwrite get_username() (?)
- [ ] Use Custom authentication (?) - needs to have a user
- [ ] Implement creating new "User"
- by POST / Model based
- [ ] move totp constants into settings
- [ ] move field lengths into settings
- [ ] make settings adjustable by environment (?)
- [ ] Remove hard coded JSON (?)

View file

@ -5,10 +5,8 @@ from django.contrib import admin
from django.contrib.auth.admin import UserAdmin
from .models import OTPSeed
#admin.site.register(OTPSeed)
from django.contrib import admin
from django.contrib.auth.admin import UserAdmin
admin.site.register(OTPSeed, UserAdmin)
# admin.site.register(OTPSeed, UserAdmin)
admin.site.register(OTPSeed)

View file

@ -0,0 +1,46 @@
# Generated by Django 2.1.3 on 2018-11-17 22:01
import django.contrib.auth.models
import django.contrib.auth.validators
from django.db import migrations, models
import django.utils.timezone
class Migration(migrations.Migration):
initial = True
dependencies = [
('auth', '0009_alter_user_last_name_max_length'),
]
operations = [
migrations.CreateModel(
name='OTPSeed',
fields=[
('password', models.CharField(max_length=128, verbose_name='password')),
('last_login', models.DateTimeField(blank=True, null=True, verbose_name='last login')),
('is_superuser', models.BooleanField(default=False, help_text='Designates that this user has all permissions without explicitly assigning them.', verbose_name='superuser status')),
('username', models.CharField(error_messages={'unique': 'A user with that username already exists.'}, help_text='Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.', max_length=150, unique=True, validators=[django.contrib.auth.validators.UnicodeUsernameValidator()], verbose_name='username')),
('first_name', models.CharField(blank=True, max_length=30, verbose_name='first name')),
('last_name', models.CharField(blank=True, max_length=150, verbose_name='last name')),
('email', models.EmailField(blank=True, max_length=254, verbose_name='email address')),
('is_staff', models.BooleanField(default=False, help_text='Designates whether the user can log into this admin site.', verbose_name='staff status')),
('is_active', models.BooleanField(default=True, help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.', verbose_name='active')),
('date_joined', models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined')),
('id', models.AutoField(primary_key=True, serialize=False)),
('name', models.CharField(max_length=128)),
('realm', models.CharField(max_length=128)),
('seed', models.CharField(max_length=128)),
('groups', models.ManyToManyField(blank=True, help_text='The groups this user belongs to. A user will get all permissions granted to each of their groups.', related_name='user_set', related_query_name='user', to='auth.Group', verbose_name='groups')),
('user_permissions', models.ManyToManyField(blank=True, help_text='Specific permissions for this user.', related_name='user_set', related_query_name='user', to='auth.Permission', verbose_name='user permissions')),
],
managers=[
('objects', django.contrib.auth.models.UserManager()),
],
),
migrations.AlterUniqueTogether(
name='otpseed',
unique_together={('name', 'realm')},
),
]

View file

@ -55,3 +55,27 @@ class VerifySerializer(serializers.Serializer):
print("All verified!")
return verifyinstance
class TokenSerializer(serializers.Serializer):
name = serializers.CharField(max_length=128)
token = serializers.CharField(max_length=128)
realm = serializers.CharField(max_length=128)
def save(self):
token_in = self.validated_data.get('token')
name_in = self.validated_data.get('name')
realm_in = self.validated_data.get('realm')
# 1. Verify that the connection might authenticate
try:
db_instance = otpauth.models.OTPSeed.objects.get(name=name_in, realm=realm_in)
except (OTPSeed.MultipleObjectsReturned, OTPSeed.DoesNotExist):
raise exceptions.AuthenticationFailed()
totp = pyotp.TOTP(db_instance.seed)
if not totp.verify(token_in, valid_window=3):
raise exceptions.AuthenticationFailed()
return db_instance

View file

@ -102,6 +102,30 @@ AUTH_PASSWORD_VALIDATORS = [
]
from rest_framework import exceptions
from rest_framework import authentication
from otpauth import OTPSeed
from otpauth.serializer import TokenSerializer
class OTPAuthentication(authentication.BaseAuthentication):
def authenticate(self, request):
serializer = TokenSerializer(data=request.data)
if serializer.is_valid():
print("trying to save... {}".format(serializer))
user = serializer.save()
else:
raise exceptions.AuthenticationFailed()
return (user, None)
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'OTPAuthentication'
)
}
# Internationalization
# https://docs.djangoproject.com/en/2.1/topics/i18n/