readthedocs.org icon indicating copy to clipboard operation
readthedocs.org copied to clipboard

Published 20 hours ago verified publisher icon readthedocs

Support two factor auth (2FA)

Open agjohnson opened this issue 7 years ago • 15 comments

We should enable 2fa for dashboard users. I keep wanting to add site admin features to the dashboard, but then think about the security aspects of adding these features and find myself also wanting 2fa. There are some libraries that do handle a 2fa workflow for standard django logins, but i don't know if this extends to django + allauth or django + mamacas.

I'm sure we're probably in agreement of this being an important feature, but I'm not sure we can gauge the importance of 2fa for users. I'm sure community users would use a feature like this, and site admins would use this feature -- I doubt this is in high demand for commercial hosting customers though.

The following thoughts come to mind:

  • Is this too hard? Does allauth play well with a 2fa workflow?
  • Is there any reason besides complicating login that we shouldn't?

agjohnson avatar Jan 16 '18 05:01 agjohnson

I'm +0 on adding it. I don't think RTD is so sensitive that we are a common attack vector. I'm much more worried about building authoring features before building something like this, unless it's simple to do with a pluggable Django app. Unless users are specifically asking for this, I don't see it as a high priority (sadly).

ericholscher avatar Mar 27 '18 08:03 ericholscher

Yeah, i agree on priority here. This is a feature that i consider more important for commercial hosting, but I also haven't had any requests for this feature though.

agjohnson avatar Mar 29 '18 17:03 agjohnson

Also, I think a lot of what I want to add would probably be more applicable as a django admin action instead of an on site admin only feature.

agjohnson avatar Mar 29 '18 17:03 agjohnson

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jan 10 '19 16:01 stale[bot]

Accepted :+1:

ericholscher avatar Jan 10 '19 16:01 ericholscher

@agjohnson

more applicable as a django admin action instead of an on site admin only feature

I am a little confused on this line on what this means? Also the Needed: design decision tag is removed. Can it be made clear on what needs to be done?

dojutsu-user avatar Feb 02 '19 15:02 dojutsu-user

Any update on this?

MatteoGheza avatar Jan 07 '21 17:01 MatteoGheza

Sadly not -- we'd love to support it, but it isn't on our short term roadmap. If there is a good way to handle this via Django, we'd love to know, but I haven't found one.

ericholscher avatar Jan 07 '21 17:01 ericholscher

Today I did quick search and I found this one https://django-allauth-2fa.readthedocs.io/en/latest/, which looks like a good candidate since it should integrate directly with our current auth system: django-allauth.

humitos avatar Jan 15 '21 15:01 humitos

There is another Python package that could be useful for this https://github.com/justinmayer/kagi

humitos avatar Oct 06 '22 15:10 humitos

I do wonder about basically just punting on this, and saying to use one of our SSO options if you want 2FA. I think more and more users are going to be defaulting to logging in with those options to enable our VCS SSO anyway.

ericholscher avatar Nov 23 '22 01:11 ericholscher

I think suggesting SSO options is the way to go here. However, is possible to "remove the password" from an existing user after connecting GitHub for example? I did a quick check and I wasn't able to find it.

humitos avatar Jan 16 '24 11:01 humitos

Django allauth now has built-in support for 2FA https://docs.allauth.org/en/latest/mfa/introduction.html

stsewd avatar Feb 19 '24 19:02 stsewd

We talk about supporting this during the offsite if it wasn't super complicated. I'm adding this issue to 2024Q3 to see if we can prioritize it.

humitos avatar May 21 '24 13:05 humitos

Yea, now that allauth supports it, would be great to add 👍

ericholscher avatar May 22 '24 21:05 ericholscher

Putting this on our next sprint, as this is now supported in AllAuth, hopefully this will be pretty straightforward 🙏

ericholscher avatar Jul 30 '24 16:07 ericholscher

Well, it was easy to integrate. Just install a new dependency django-allauth[mfa], and install the app.

Things to take into consideration:

  • We probably want to override all the templates related to mfa, the default ones don't look great with our theme.
  • ~~I see in the code that the current hostname is used for some things, we should check that the auth works on both domains (rtd.org/com and app.rtd.org/com), or do some overrides.~~ Edit: This is used for webauthn only.
  • The name of the site is taken from the Site object, we should make sure it says Read the Docs or Read the Docs Community or whatever.
  • The recovery codes are not encrypted by default, we need to implement that for ourselves. See encrypt/decrypt in https://docs.allauth.org/en/latest/mfa/adapter.html. I think it makes sense to encrypt the recovery codes. Update: Looks like what they give you to encrypt is a seed, the codes themselves are generated from that seed, so, it could be useful to encrypt that too.

stsewd avatar Aug 01 '24 17:08 stsewd

It sounds like overall the main work is templating then and some QA? I assume the templates should be pretty simple, so hopefully not a ton of work to theme.

The name of the site is taken from the Site object, we should make sure it says Read the Docs or Read the Docs Community or whatever.

I confirmed these

ericholscher avatar Aug 01 '24 18:08 ericholscher

Yep, if we are cool with that, I can open a PR with the changes.

stsewd avatar Aug 01 '24 18:08 stsewd

Note: support for 2FA has been added, but it won't be exposed to users yet, we will be exposing this feature in the new dashboard (once it's ready).

stsewd avatar Aug 22 '24 16:08 stsewd