Use django-allauth for MFA and replace python social auth

[hmpf]

Scope and purpose

django-allauth (hereafter: allauth) is python-social-auths (hereafter: PSA) oldest competitor. It is possible to replace PSA with allauth, and the latter has support for MFA built in.

It is possible to run the two in parallel, there are no clashing module names or table names.

django-allauth does not support LDAP logins.

This pull request (eventually)

• adds/changes/removes a dependency
• changes the database
• changes the API

How to test

Install the dependency: pip install argus-server[allauth-mfa] or pip install django-allauth[mfa]

The easiest way to configure is to use the extra-apps-machinery.

First make sure that argus-htmx overrides settings:

from argus.htmx.appconfig import APP_SETTINGS

update_settings(globals(), APP_SETTINGS, override=True)

Note override=True! If this is not the case, the allauth templates will be completely unstyled and white.

Then set EXTRA_APPS as an environment-variable like so (shell-dependent):

export ARGUS_EXTRA_APPS=`cat allauth.json`

then finally allauth.json needs to look like this:

[
  {
    "app_name": "allauth",
    "settings": { "USE_PYTHON_SOCIAL_AUTH": false }
  },
  {
    "app_name": "allauth.account",
    "middleware": {
      "allauth.account.middleware.AccountMiddleware": "end"
    },
    "settings": {
      "ACCOUNT_ADAPTER": "argus.auth.allauth.ArgusAccountAdapter",
      "ACCOUNT_ALLOW_SIGNUPS": false,
      "LOGIN_URL": "/accounts/login/",
      "PUBLIC_URLS": [
        "/accounts/login/",
        "/accounts/signup/",
        "/api/"
      ]
    }
  },
  {
    "app_name": "allauth.mfa",
    "settings": {
      "MFA_TOTP_ISSUER": "Argus",
      "MFA_TOTP_TOLERANCE": 0
    }
  }
]

MFA_TOTP_TOLERANCE is to account for clock drift. 0 is default. 1 is for network lag, 2 works for TOTP smartcards. Lower is better.

Run migrations. allauth.account adds the tables account_emailaddress and account_emailconfirmation. allauth.mfa adds the tables mfa_authenticator.

You must be logged in and you must have an email address verified the allauth way. Then you can visit '/accounts/2fa' to get the QR code/magic string to set up a totp provider.

OAuth2/SAML/OIDC

Install the dependency: pip install argus-server[allauth-social] or pip install django-allauth[socialaccount]

Add to allauth.json:

  {
    "app_name": "allauth.socialaccount",
    "settings": {                                                               
      "SOCIALACCOUNT_AUTO_SIGNUP": true,                                        
      "SOCIALACCOUNT_ADAPTER": "argus.auth.allauth.ArgusSocialAccountAdapter"         
    }
  }

This is JSON so validate with jq or something to ensure that right commas are in place, JSON doesn't like comma before }.

Run migrations. The tables socialaccount_socialaccount, socialaccount_socialapp and socialaccount_socialtoken are added.

Finally one app per provider is needed, here showing dataporten:

  {
    "app_name": "allauth.socialaccount.providers.dataporten"
  }

The settings for the provider needs to be set per site so directly in a settings-file. Here's copying the values used for PSA:

SOCIALACCOUNT_PROVIDERS = {
    "dataporten": {
        "EMAIL_AUTHENTICATION": True,
        "VERIFIED_EMAIL": True,
        "APP": {
            "client_id": get_str_env("ARGUS_DATAPORTEN_KEY", required=True),
         #   "key": get_str_env("ARGUS_DATAPORTEN_KEY", required=True),
            "secret": get_str_env("ARGUS_DATAPORTEN_SECRET", required=True),
        }
    }
}

At this point there's a new page on /accounts/3rdparty/.

Contributor Checklist

Every pull request should have this checklist filled out, no matter how small it is. More information about contributing to Argus can be found in the Development docs.

• [ ] Added a changelog fragment for towncrier
• [ ] Added/amended tests for new/changed code
• [ ] Added/changed documentation
• [x] Linted/formatted the code with ruff and djLint, easiest by using pre-commit
• [x] The first line of the commit message continues the sentence "If applied, this commit will ...", starts with a capital letter, does not end with punctuation and is 50 characters or less long. See our how-to
• [ ] If applicable: Created new issues if this PR does not fix the issue completely/there is further work to be done
• [ ] If this results in changes in the UI: Added screenshots of the before and after
• [ ] If this results in changes to the database model: Updated the ER diagram

Known missing

Delete as they are fixed.

• Pretty templates
• Docs
• ...

[github-actions[bot]]

Test results

    4 files    468 suites   17m 37s ⏱️   565 tests   564 ✅ 1 💤 0 ❌ 2 260 runs  2 256 ✅ 4 💤 0 ❌

Results for commit d499b14e.

:recycle: This comment has been updated with latest results.

[codecov-commenter]

Codecov Report

:x: Patch coverage is 23.44498% with 160 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 76.33%. Comparing base (7703e72) to head (d499b14).

Files with missing lines	Patch %	Lines
src/argus/auth/allauth/utils/psa.py	0.00%	46 Missing :warning:
...th/allauth/management/commands/convert_from_psa.py	0.00%	28 Missing :warning:
...allauth/management/commands/delete_allauth_data.py	0.00%	23 Missing :warning:
src/argus/auth/allauth/views.py	0.00%	17 Missing :warning:
src/argus/auth/allauth/adapter.py	0.00%	14 Missing :warning:
src/argus/auth/psa/utils.py	44.44%	10 Missing :warning:
src/argus/auth/allauth/urls.py	0.00%	5 Missing :warning:
src/argus/auth/allauth/utils/__init__.py	0.00%	5 Missing :warning:
src/argus/auth/psa/htmx/views.py	50.00%	4 Missing :warning:
src/argus/htmx/auth/urls.py	0.00%	4 Missing :warning:
... and 2 more

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1406      +/-   ##
==========================================
- Coverage   78.25%   76.33%   -1.93%     
==========================================
  Files         125      138      +13     
  Lines        5519     5712     +193     
==========================================
+ Hits         4319     4360      +41     
- Misses       1200     1352     +152     

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:

• :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[hmpf]

In order to use MFA with allauth it is necessary to have a verified email address.

The template to verify an address is the same used to add and remove addresses, and to set one of several addresses as "primary". It is not possible to hide the "Add new address"-form since it is also used to change an address, by first adding an address then removing the old.

We add addresses via "destinations" and by getting a "synced" address from OAuth2 so we need to adapt somehow. Either copy addresses in destinations to allauth's system or generate destinations from allauth's system or sync both ways. Either way, a "synced" address (copied from social account) cannot be deleted so we cannot leave this form and view untouched.

[sonarqubecloud[bot]]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud[bot]]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud