OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2212 Commits
13 Branches
0 Tags
45 MiB
Tree: f331fcdb80
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f331fcdb80'
${ noResults }
server-tools/auth_totp/README.rst

101 lines
3.2 KiB
Raw Normal View History

[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Permissions fix and other tweaks * Slightly reword README * Replace LasLabs logo with OCA one * Overload _build_model in res.users model to add two MFA fields to the model class's list of self-writeable fields, allowing these fields to be edited by users without admin permissions for their own record * Update view_users_form_simple_modif and the unit tests in the module based on the self-writeable field change
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[MIG] auth_totp: Upgrade to v10 * Rename manifest * Change openerp references to odoo * Bump version * Add pyotp back to requirements
8 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: RPC access * Add res.users logic to prevent RPC access for users with MFA enabled even when those users have recently logged in
7 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: RPC access * Add res.users logic to prevent RPC access for users with MFA enabled even when those users have recently logged in
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: RPC access * Add res.users logic to prevent RPC access for users with MFA enabled even when those users have recently logged in
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
  1. .. image:: https://img.shields.io/badge/license-LGPL--3-blue.svg
  2. :target: http://www.gnu.org/licenses/lgpl.html
  3. :alt: License: LGPL-3
  5. ====================
  6. MFA Support via TOTP
  7. ====================
  9. This module adds support for MFA using TOTP (time-based, one-time passwords).
  10. It allows users to enable/disable MFA and manage authentication apps/devices
  11. via the "Change My Preferences" view and an associated wizard.
  13. After logging in normally, users with MFA enabled are taken to a second screen
  14. where they have to enter a password generated by one of their authentication
  15. apps and are presented with the option to remember the current device. This
  16. creates a secure, HTTP-only cookie that allows subsequent logins to bypass the
  17. MFA step.
  19. Installation
  20. ============
  22. 1. Install the PyOTP library using pip: ``pip install pyotp``
  23. 2. Follow the standard module install process
  25. Configuration
  26. =============
  28. By default, the trusted device cookies introduced by this module have a
  29. ``Secure`` flag. This decreases the likelihood of cookie theft via
  30. eavesdropping but may result in cookies not being set by certain browsers
  31. unless your Odoo instance uses HTTPS. If necessary, you can disable this flag
  32. by going to ``Settings > Parameters > System Parameters`` and changing the
  33. ``auth_totp.secure_cookie`` key to ``0``.
  35. Usage
  36. =====
  38. If necessary, a user's trusted devices can be revoked by disabling and
  39. re-enabling MFA for that user.
  41. .. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
  42. :alt: Try me on Runbot
  43. :target: https://runbot.odoo-community.org/runbot/149/10.0
  45. Known Issues / Roadmap
  46. ======================
  48. Known Issues
  49. ------------
  51. * External calls to the Odoo XML-RPC API are blocked for users who enable MFA
  52. since there is currently no way to perform MFA authentication as part of this
  53. process. However, due to the way that Odoo handles authentication caching,
  54. multi-threaded or multi-process servers will need to be restarted before the
  55. block can take effect for users who have just enabled MFA.
  57. Roadmap
  58. -------
  60. * Make the lifetime of the trusted device cookie configurable rather than fixed
  61. at 30 days
  62. * Add device fingerprinting to the trusted device cookie
  63. * Add company-level settings for forcing all users to enable MFA and disabling
  64. the trusted device option
  66. Bug Tracker
  67. ===========
  69. Bugs are tracked on
  70. `GitHub Issues <https://github.com/OCA/server-tools/issues>`_. In case of
  71. trouble, please check there if your issue has already been reported. If you
  72. spotted it first, help us smash it by providing detailed and welcomed feedback.
  74. Credits
  75. =======
  77. Images
  78. ------
  80. * Odoo Community Association:
  81. `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_.
  83. Contributors
  84. ------------
  86. * Oleg Bulkin <obulkin@laslabs.com>
  88. Maintainer
  89. ----------
  91. .. image:: https://odoo-community.org/logo.png
  92. :alt: Odoo Community Association
  93. :target: https://odoo-community.org
  95. This module is maintained by the OCA.
  97. OCA, or the Odoo Community Association, is a nonprofit organization whose
  98. mission is to support the collaborative development of Odoo features and
  99. promote its widespread use.
  101. To contribute to this module, please visit https://odoo-community.org.