OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1800 Commits
13 Branches
0 Tags
45 MiB
Tree: 688c3cbb2e
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '688c3cbb2e'
${ noResults }
server-tools/auth_totp/README.rst

105 lines
3.4 KiB
Raw Normal View History

[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Permissions fix and other tweaks * Slightly reword README * Replace LasLabs logo with OCA one * Overload _build_model in res.users model to add two MFA fields to the model class's list of self-writeable fields, allowing these fields to be edited by users without admin permissions for their own record * Update view_users_form_simple_modif and the unit tests in the module based on the self-writeable field change
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[MIG] auth_totp: Upgrade to v10 * Rename manifest * Change openerp references to odoo * Bump version * Add pyotp back to requirements
8 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
  1. .. image:: https://img.shields.io/badge/license-LGPL--3-blue.svg
  2. :target: http://www.gnu.org/licenses/lgpl.html
  3. :alt: License: LGPL-3
  5. ====================
  6. MFA Support via TOTP
  7. ====================
  9. This module adds support for MFA using TOTP (time-based, one-time passwords).
  10. It allows users to enable/disable MFA and manage authentication apps/devices
  11. via the "Change My Preferences" view and an associated wizard.
  13. After logging in normally, users with MFA enabled are taken to a second screen
  14. where they have to enter a password generated by one of their authentication
  15. apps and are presented with the option to remember the current device. This
  16. creates a secure, HTTP-only cookie that allows subsequent logins to bypass the
  17. MFA step.
  19. Installation
  20. ============
  22. 1. Install the PyOTP library using pip: ``pip install pyotp``
  23. 2. Follow the standard module install process
  25. Configuration
  26. =============
  28. By default, the trusted device cookies introduced by this module have a
  29. ``Secure`` flag and can only be sent via HTTPS. You can disable this by going
  30. to ``Settings > Parameters > System Parameters`` and changing the
  31. ``auth_totp.secure_cookie`` key to ``0``, but this is not recommended in
  32. production as it increases the likelihood of cookie theft via eavesdropping.
  34. Usage
  35. =====
  37. Install and enjoy.
  39. .. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
  40. :alt: Try me on Runbot
  41. :target: https://runbot.odoo-community.org/runbot/149/10.0
  43. Known Issues / Roadmap
  44. ======================
  46. Known Issues
  47. ------------
  49. * The module does not uninstall cleanly due to an Odoo bug, leaving the
  50. ``res.users.authenticator`` and ``res.users.device`` models partially in
  51. place. This may be addressed at a later time via an Odoo fix or by adding
  52. custom uninstall logic via an uninstall hook.
  54. Roadmap
  55. -------
  57. * Make the various durations associated with the module configurable. They are
  58. currently hard-coded as follows:
  60. * 15 minutes to enter an MFA confirmation code after a password log in
  61. * 30 days before the MFA session expires and the user has to log in again
  62. * 30 days before the trusted device cookie expires
  64. * Add logic to extend an MFA user's session each time it's validated,
  65. effectively keeping it alive indefinitely as long as the user remains active
  66. * Add device fingerprinting to the trusted device cookie and provide a way to
  67. revoke trusted devices
  68. * Add company-level settings for forcing all users to enable MFA and disabling
  69. the trusted device option
  71. Bug Tracker
  72. ===========
  74. Bugs are tracked on `GitHub Issues
  75. <https://github.com/OCA/server-tools/issues>`_. In case of trouble, please
  76. check there if your issue has already been reported. If you spotted it first,
  77. help us smash it by providing detailed and welcomed feedback.
  79. Credits
  80. =======
  82. Images
  83. ------
  85. * Odoo Community Association: `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_.
  87. Contributors
  88. ------------
  90. * Oleg Bulkin <obulkin@laslabs.com>
  92. Maintainer
  93. ----------
  95. .. image:: https://odoo-community.org/logo.png
  96. :alt: Odoo Community Association
  97. :target: https://odoo-community.org
  99. This module is maintained by the OCA.
  101. OCA, or the Odoo Community Association, is a nonprofit organization whose
  102. mission is to support the collaborative development of Odoo features and
  103. promote its widespread use.
  105. To contribute to this module, please visit https://odoo-community.org.