OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2039 Commits
13 Branches
0 Tags
45 MiB
Tree: 774ca18fd7
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '774ca18fd7'
${ noResults }
server-tools/auth_totp/controllers/main.py

124 lines
4.7 KiB
Raw Normal View History

[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Firefox support * Fix Firefox MFA login error by adding logic that checks for the Firefox edge case where redirect_with_hash returns a Response object rather than a string * Add test case for this scenario
7 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[MIG] auth_totp: Upgrade to v10 * Rename manifest * Change openerp references to odoo * Bump version * Add pyotp back to requirements
8 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Website compatibility * Add website compatibility by modifying the decorator on one of the routes and updating the login_success request parameter as needed
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
PR commit
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
PR commit
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
PR commit
7 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
PR commit
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
PR commit
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Firefox support * Fix Firefox MFA login error by adding logic that checks for the Firefox edge case where redirect_with_hash returns a Response object rather than a string * Add test case for this scenario
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2016-2017 LasLabs Inc.
  3. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
  5. from datetime import datetime, timedelta
  6. import json
  7. from werkzeug.contrib.securecookie import SecureCookie
  8. from werkzeug.wrappers import Response as WerkzeugResponse
  9. from odoo import _, http
  10. from odoo.http import Response, request
  11. from odoo.addons.web.controllers.main import Home
  14. class JsonSecureCookie(SecureCookie):
  15. serialization_method = json
  18. class AuthTotp(Home):
  19. @http.route()
  20. def web_login(self, *args, **kwargs):
  21. response = super(AuthTotp, self).web_login(*args, **kwargs)
  23. if request.session.get('mfa_login_needed'):
  24. request.session['mfa_login_needed'] = False
  25. return http.local_redirect(
  26. '/auth_totp/login',
  27. query={'redirect': request.params.get('redirect')},
  28. keep_hash=True,
  29. )
  31. return response
  33. @http.route(
  34. '/auth_totp/login',
  35. type='http',
  36. auth='public',
  37. methods=['GET'],
  38. website=True,
  39. )
  40. def mfa_login_get(self, *args, **kwargs):
  41. return request.render('auth_totp.mfa_login', qcontext=request.params)
  43. @http.route('/auth_totp/login', type='http', auth='none', methods=['POST'])
  44. def mfa_login_post(self, *args, **kwargs):
  45. """Process MFA login attempt.
  47. Overview:
  48. * Identify current user based on login in session. If this doesn't
  49. work, redirect to the password login page with an error message.
  50. * Validate the confirmation code provided by the user. If it's not
  51. valid, redirect to the previous login step with an error message.
  52. * Update the session to indicate that the MFA login process for
  53. this user is complete and attempt password authentication again.
  54. * Build a trusted device cookie and add it to the response if the
  55. trusted device option was checked.
  56. * Redirect to the provided URL or to '/web' if one was not given.
  57. """
  59. # sudo() is required because there is no request.env.uid (likely since
  60. # there is no user logged in at the start of the request)
  61. user_model_sudo = request.env['res.users'].sudo()
  62. config_model_sudo = user_model_sudo.env['ir.config_parameter']
  64. user_login = request.session.get('login')
  65. user = user_model_sudo.search([('login', '=', user_login)])
  66. if not user:
  67. return http.local_redirect(
  68. '/web/login',
  69. query={
  70. 'redirect': request.params.get('redirect'),
  71. 'error': _(
  72. 'You must log in with a password before starting the'
  73. ' MFA login process.'
  74. ),
  75. },
  76. keep_hash=True,
  77. )
  79. confirmation_code = request.params.get('confirmation_code')
  80. if not user.validate_mfa_confirmation_code(confirmation_code):
  81. return http.local_redirect(
  82. '/auth_totp/login',
  83. query={
  84. 'redirect': request.params.get('redirect'),
  85. 'error': _(
  86. 'Your confirmation code is not correct. Please try'
  87. ' again.'
  88. ),
  89. },
  90. keep_hash=True,
  91. )
  92. request.session['mfa_login_active'] = user.id
  94. user_pass = request.session.get('password')
  95. uid = request.session.authenticate(request.db, user.login, user_pass)
  96. if uid:
  97. request.params['login_success'] = True
  99. redirect = request.params.get('redirect')
  100. if not redirect:
  101. redirect = '/web'
  102. response = http.redirect_with_hash(redirect)
  103. if not isinstance(response, WerkzeugResponse):
  104. response = Response(response)
  106. if request.params.get('remember_device'):
  107. secret = user.trusted_device_cookie_key
  108. device_cookie = JsonSecureCookie({'user_id': user.id}, secret)
  109. cookie_lifetime = timedelta(days=30)
  110. cookie_exp = datetime.utcnow() + cookie_lifetime
  111. device_cookie = device_cookie.serialize(cookie_exp)
  112. cookie_key = 'trusted_devices_%d' % user.id
  113. sec_config = config_model_sudo.get_param('auth_totp.secure_cookie')
  114. security_flag = sec_config != '0'
  115. response.set_cookie(
  116. cookie_key,
  117. device_cookie,
  118. max_age=cookie_lifetime.total_seconds(),
  119. expires=cookie_exp,
  120. httponly=True,
  121. secure=security_flag,
  122. )
  124. return response