OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1757 Commits
13 Branches
0 Tags
45 MiB
Tree: c8d5b50777
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c8d5b50777'
${ noResults }
server-tools/auth_totp/README.rst

88 lines
2.8 KiB
Raw Normal View History

[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Permissions fix and other tweaks * Slightly reword README * Replace LasLabs logo with OCA one * Overload _build_model in res.users model to add two MFA fields to the model class's list of self-writeable fields, allowing these fields to be edited by users without admin permissions for their own record * Update view_users_form_simple_modif and the unit tests in the module based on the self-writeable field change
8 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[MIG] auth_totp: Upgrade to v10 * Rename manifest * Change openerp references to odoo * Bump version * Add pyotp back to requirements
8 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
  1. .. image:: https://img.shields.io/badge/license-LGPL--3-blue.svg
  2. :target: http://www.gnu.org/licenses/lgpl.html
  3. :alt: License: LGPL-3
  5. ====================
  6. MFA Support via TOTP
  7. ====================
  9. This module adds support for MFA using TOTP (time-based, one-time passwords).
  10. It allows users to enable/disable MFA and manage authentication apps/devices
  11. via the "Change My Preferences" view and an associated wizard.
  13. After logging in normally, users with MFA enabled are taken to a second screen
  14. where they have to enter a password generated by one of their authentication
  15. apps and are presented with the option to remember the current device. This
  16. creates a secure, HTTP-only cookie that allows subsequent logins to bypass the
  17. MFA step.
  19. Installation
  20. ============
  22. 1. Install the PyOTP library using pip: ``pip install pyotp``
  23. 2. Follow the standard module install process
  25. Configuration
  26. =============
  28. By default, the trusted device cookies introduced by this module have a
  29. ``Secure`` flag. This decreases the likelihood of cookie theft via
  30. eavesdropping but may result in cookies not being set by certain browsers
  31. unless your Odoo instance uses HTTPS. If necessary, you can disable this flag
  32. by going to ``Settings > Parameters > System Parameters`` and changing the
  33. ``auth_totp.secure_cookie`` key to ``0``.
  35. Usage
  36. =====
  38. If necessary, a user's trusted devices can be revoked by disabling and
  39. re-enabling MFA for that user.
  41. .. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
  42. :alt: Try me on Runbot
  43. :target: https://runbot.odoo-community.org/runbot/149/10.0
  45. Known Issues / Roadmap
  46. ======================
  48. * Make the lifetime of the trusted device cookie configurable rather than fixed
  49. at 30 days
  50. * Add device fingerprinting to the trusted device cookie
  51. * Add company-level settings for forcing all users to enable MFA and disabling
  52. the trusted device option
  54. Bug Tracker
  55. ===========
  57. Bugs are tracked on `GitHub Issues
  58. <https://github.com/OCA/server-tools/issues>`_. In case of trouble, please
  59. check there if your issue has already been reported. If you spotted it first,
  60. help us smash it by providing detailed and welcomed feedback.
  62. Credits
  63. =======
  65. Images
  66. ------
  68. * Odoo Community Association: `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_.
  70. Contributors
  71. ------------
  73. * Oleg Bulkin <obulkin@laslabs.com>
  75. Maintainer
  76. ----------
  78. .. image:: https://odoo-community.org/logo.png
  79. :alt: Odoo Community Association
  80. :target: https://odoo-community.org
  82. This module is maintained by the OCA.
  84. OCA, or the Odoo Community Association, is a nonprofit organization whose
  85. mission is to support the collaborative development of Odoo features and
  86. promote its widespread use.
  88. To contribute to this module, please visit https://odoo-community.org.