Pull in opr #842 - 2-factor auth (#86)

* docs: release date and block fixes

* i18n: added Chinese-Simple translation

* Update messages.po

change language from 'zh_Hans_CN' to 'zh_CN'

* rename nl_NL/LC_MESSAGES/messages.po and zh_Hans_CN/LC_MESSAGES/messages.po

* Security two factor authentication feature

* supporting two factor authentication:

* Support Mail, SMS, or Google Authenticator second factor authentication.

* Ability to change second factor authentication to existing users 

* Provide rescue mail in case of lost phone

* update docs with two factor authentication changes

* updating requirements, authors

* adding two_factor test

* improving tests coverage

* fix double import and unused import, revert get_user

* fix missing setup.py install_requires

* fix TestMail (remove __init_)

* formatting

* more formatting

* too many blank lines

* formatting forms.py

* signals line length

* twofactor formatting

* utils formatting

* update twilio client import

* missing import

* blueprint line length (twofactor)

* line too long/import/authors inadv. deleted

* conftest.py allow nulls in sqlalchemy

* Spelling, Update Functions and Tests Python 3.7 Support

request.json->request.get_json
update tests to use hash_password
pep8 compliance
Update dependencies for tests
move from pyenchant to msgcheck

* Update docs/configuration.rst

Co-Authored-By: malware-watch <[email protected]>

* consistent two-factor

* .gitignore .venv/

* fixes.  passlib.totp, if not request.is_json

* translation stubs for new messages

* Make two-factor login more JSON friendly

* feature - merge in two factor auth.

These changes are mostly docs and cleanup.

* remove pyqrcode, onetimepass from install requires

check imports if TWO_FACTOR is True

* Minor doc fixes.

Increase sizes of examples for 2FA phone and secret.

* whitespace

* feature - merge in two factor auth.

These changes are mostly docs and cleanup.

* Fix formatting.

Author: jwag956

.gitignore

@@ -28,6 +28,7 @@ pip-log.txt
 
 #Virtualenv
 env/
+.venv/
 
 #Editor temporaries
 *~
@@ -45,8 +46,11 @@ Session.vim
 
 .eggs/README.txt
 
-# Idea
-.idea/
-
 # Mac
 .DS_Store
+
+# Pycharm files
+.idea/
+
+# VScode
+.vscode/

AUTHORS

@@ -46,3 +46,6 @@ Walt Askew
 John Paraskevopoulos
 Chris Wagner
 Eric Regnier
+Gal Stainfeld
+Ivan Piskunov
+Tyler Baur

CHANGES

@@ -19,6 +19,7 @@ Released TBD
 - (:pr:`73`) Fix get_user for various DBs (jwag956).
   This is a more complete fix than in opr #633.
 - (:pr:`78`) Add formal openapi API spec (jwag956).
+- (:pr:`86`) Add Two-factor authentication (opr #842) (baurt).
 
 Version 3.1.0
 -------------

docs/api.rst

@@ -98,6 +98,12 @@ Utils
 
 .. autofunction:: flask_security.utils.transform_url
 
+.. autoclass:: flask_security.utils.SmsSenderBaseClass
+  :members: send_sms
+
+.. autoclass:: flask_security.utils.SmsSenderFactory
+  :members: createSender
+
 Signals
 -------
 See the `Flask documentation on signals`_ for information on how to use these
@@ -142,5 +148,14 @@ sends the following signals.
    Sent when a user requests a password reset. In addition to the app (which is
    the sender), it is passed `user` and `token` arguments.
 
+.. data:: user_two_factored
+
+    Sent when a user performs two-factor authentication login on the site. In
+    addition to the app (which is the sender), it is passed `user` argument
+
+.. data:: two_factor_method_changed
+
+  Sent when two-factor is used and user logs in. In addition to the app
+  (which is the sender), it is passed `user` argument.
 
 .. _Flask documentation on signals: http://flask.pocoo.org/docs/signals/

docs/configuration.rst

@@ -63,6 +63,10 @@ Core
                                          to ``MAIL_DEFAULT_SENDER`` if
                                          Flask-Mail is used otherwise
                                          ``no-reply@localhost``.
+``SECURITY_TWO_FACTOR_RESCUE_MAIL``      Specifies the email address users send
+                                         mail to when they can't complete the
+                                         two-factor authentication login.
+                                         Defaults to ``no-reply@localhost``.
 ``SECURITY_TOKEN_AUTHENTICATION_KEY``    Specifies the query string parameter to
                                          read when using token authentication.
                                          Defaults to ``auth_token``.
@@ -187,31 +191,45 @@ Template Paths
 
 .. tabularcolumns:: |p{6.5cm}|p{8.5cm}|
 
-======================================== =======================================
-``SECURITY_FORGOT_PASSWORD_TEMPLATE``    Specifies the path to the template for
-                                         the forgot password page. Defaults to
-                                         ``security/forgot_password.html``.
-``SECURITY_LOGIN_USER_TEMPLATE``         Specifies the path to the template for
-                                         the user login page. Defaults to
-                                         ``security/login_user.html``.
-``SECURITY_REGISTER_USER_TEMPLATE``      Specifies the path to the template for
-                                         the user registration page. Defaults to
-                                         ``security/register_user.html``.
-``SECURITY_RESET_PASSWORD_TEMPLATE``     Specifies the path to the template for
-                                         the reset password page. Defaults to
-                                         ``security/reset_password.html``.
-``SECURITY_CHANGE_PASSWORD_TEMPLATE``    Specifies the path to the template for
-                                         the change password page. Defaults to
-                                         ``security/change_password.html``.
-``SECURITY_SEND_CONFIRMATION_TEMPLATE``  Specifies the path to the template for
-                                         the resend confirmation instructions
-                                         page. Defaults to
-                                         ``security/send_confirmation.html``.
-``SECURITY_SEND_LOGIN_TEMPLATE``         Specifies the path to the template for
-                                         the send login instructions page for
-                                         passwordless logins. Defaults to
-                                         ``security/send_login.html``.
-======================================== =======================================
+============================================== =======================================
+``SECURITY_FORGOT_PASSWORD_TEMPLATE``          Specifies the path to the template for
+                                               the forgot password page. Defaults to
+                                               ``security/forgot_password.html``.
+``SECURITY_LOGIN_USER_TEMPLATE``               Specifies the path to the template for
+                                               the user login page. Defaults to
+                                               ``security/login_user.html``.
+``SECURITY_REGISTER_USER_TEMPLATE``            Specifies the path to the template for
+                                               the user registration page. Defaults to
+                                               ``security/register_user.html``.
+``SECURITY_RESET_PASSWORD_TEMPLATE``           Specifies the path to the template for
+                                               the reset password page. Defaults to
+                                               ``security/reset_password.html``.
+``SECURITY_CHANGE_PASSWORD_TEMPLATE``          Specifies the path to the template for
+                                               the change password page. Defaults to
+                                               ``security/change_password.html``.
+``SECURITY_SEND_CONFIRMATION_TEMPLATE``        Specifies the path to the template for
+                                               the resend confirmation instructions
+                                               page. Defaults to
+                                               ``security/send_confirmation.html``.
+``SECURITY_SEND_LOGIN_TEMPLATE``               Specifies the path to the template for
+                                               the send login instructions page for
+                                               passwordless logins. Defaults to
+                                               ``security/send_login.html``.
+``SECURITY_TWO_FACTOR_VERIFY_CODE_TEMPLATE``   Specifies the path to the template for
+                                               the verify code page for the two-factor
+                                               authentication process. Defaults to
+                                               ``security/two_factor_verify_code.html``.
+
+``SECURITY_TWO_FACTOR_CHOOSE_METHOD_TEMPLATE`` Specifies the path to the template for
+                                               the choose method page for the two
+                                               factor authentication process. Defaults
+                                               to ``security/two_factor_choose_method.html``
+``SECURITY_TWO_FACTOR_CHANGE_METHOD_TEMPLATE`` Specifies the path to the template for
+                                               the change method page for the two
+                                               factor authentication process. Defaults
+                                               to ``security/two_factor_change_method_password_confirmation.html``.
+
+============================================== =======================================
 
 
 Feature Flags
@@ -251,6 +269,15 @@ Feature Flags
                           change password endpoint. The URL for this endpoint is
                           specified by the ``SECURITY_CHANGE_URL`` configuration
                           option. Defaults to ``False``.
+``SECURITY_TWO_FACTOR``   Specifies if Flask-Security should enable the
+                          two-factor login feature. If set to ``True``, in
+                          addition to their passwords, users will be required to
+                          enter a code that is sent to them. The added feature
+                          includes the ability to send it either via email, sms
+                          message, or Google Authenticator. Default time of
+                          validity is 30 seconds in Google Authenticator and up
+                          to 60 seconds if sent by mail or sms.
+                          Defaults to ``False``.
 ========================= ======================================================
 
 Email
@@ -286,6 +313,12 @@ Email
 ``SECURITY_EMAIL_HTML``                           Sends email as HTML using
                                                   ``*.html`` template. Defaults
                                                   to ``True``.
+``SECURITY_EMAIL_SUBJECT_TWO_FACTOR``             Sets the subject for the two
+                                                  factor feature. Defaults to
+                                                  ``Two-factor Login``
+``SECURITY_EMAIL_SUBJECT_TWO_FACTOR_RESCUE``      Sets the subject for the two
+                                                  factor help function. Defaults
+                                                  to ``Two-factor Rescue``
 ================================================= ==============================
 
 Miscellaneous
@@ -327,6 +360,28 @@ Miscellaneous
                                               enabled. Always pluralized the
                                               time unit for this value.
                                               Defaults to ``1 days``.
+``SECURITY_TWO_FACTOR_GOOGLE_AUTH_VALIDITY``  Specifies the number of time
+                                              windows user has before the token
+                                              generated for him using google
+                                              authenticator is valid. time
+                                              windows specifies the amount of
+                                              time, which is 30 seconds for each
+                                              window. Default to 0, which is up
+                                              to 30 seconds.
+``SECURITY_TWO_FACTOR_MAIL_VALIDITY``         Specifies the number of time
+                                              windows user has before the token
+                                              sent to him using mail is valid.
+                                              time windows specifies the amount
+                                              of time, which is 30 seconds for
+                                              each window. Default to 1, which
+                                              is up to 60 seconds.
+``SECURITY_TWO_FACTOR_SMS_VALIDITY``          Specifies the number of time
+                                              windows user has before the token
+                                              sent to him using sms is valid.
+                                              time windows specifies the amount
+                                              of time, which is 30 seconds for
+                                              each window. Default to 5, which
+                                              is up to 3 minutes.                                                                                            .
 ``SECURITY_LOGIN_WITHOUT_CONFIRMATION``       Specifies if a user may login
                                               before confirming their email when
                                               the value of
@@ -352,6 +407,24 @@ Miscellaneous
 ``SECURITY_DEFAULT_REMEMBER_ME``              Specifies the default "remember
                                               me" value used when logging in
                                               a user. Defaults to ``False``.
+``SECURITY_TWO_FACTOR_ENABLED_METHODS``       Specifies the default enabled
+                                              methods for two-factor
+                                              authentication. defaults to
+                                              ``['mail', 'google_authenticator',
+                                              'sms']`` which are the only
+                                              supported method at the moment.
+``SECURITY_TWO_FACTOR_URI_SERVICE_NAME``      Specifies the name of the service
+                                              or application that the user is
+                                              authenticating to. Defaults to
+                                              ``service_name``
+``SECURITY_TWO_FACTOR_SMS_SERVICE``           Specifies the name of the sms
+                                              service provider. Defaults to
+                                              ``Dummy`` which does nothing.
+``SECURITY_TWO_FACTOR_SMS_SERVICE_CONFIG``    Specifies a dictionary of basic
+                                              configurations needed for use of a
+                                              sms service. Defaults to
+                                              ``{'ACCOUNT_ID': NONE, 'AUTH_TOKEN
+                                              ':NONE, 'PHONE_NUMBER': NONE}``
 ``SECURITY_DATETIME_FACTORY``                 Specifies the default datetime
                                               factory. Defaults to
                                               ``datetime.datetime.utcnow``.
@@ -396,5 +469,12 @@ The default messages and error levels can be found in ``core.py``.
 * ``SECURITY_MSG_PASSWORD_RESET_REQUEST``
 * ``SECURITY_MSG_REFRESH``
 * ``SECURITY_MSG_RETYPE_PASSWORD_MISMATCH``
+* ``SECURITY_MSG_TWO_FACTOR_INVALID_TOKEN``
+* ``SECURITY_MSG_TWO_FACTOR_LOGIN_SUCCESSFUL``
+* ``SECURITY_MSG_TWO_FACTOR_CHANGE_METHOD_SUCCESSFUL``
+* ``SECURITY_MSG_TWO_FACTOR_PASSWORD_CONFIRMATION_DONE``
+* ``SECURITY_MSG_TWO_FACTOR_PASSWORD_CONFIRMATION_NEEDED``
+* ``SECURITY_MSG_TWO_FACTOR_PERMISSION_DENIED``
+* ``SECURITY_MSG_TWO_FACTOR_METHOD_NOT_AVAILABLE``
 * ``SECURITY_MSG_UNAUTHORIZED``
 * ``SECURITY_MSG_USER_DOES_NOT_EXIST``

docs/contents.rst.inc

@@ -9,6 +9,7 @@ Contents
    quickstart
    models
    customizing
+   two_factor_configurations
    api
    changelog
    authors

docs/customizing.rst

@@ -21,6 +21,9 @@ following is a list of view templates:
 * `security/change_password.html`
 * `security/send_confirmation.html`
 * `security/send_login.html`
+* `security/two_factor_change_method_password_confirmation.html`
+* `security/two_factor_choose_method.html`
+* `security/two_factor_verify_code.html`
 
 Overriding these templates is simple:
 
@@ -61,6 +64,8 @@ The following is a list of all the available context processor decorators:
 * ``change_password_context_processor``: Change password view
 * ``send_confirmation_context_processor``: Send confirmation view
 * ``send_login_context_processor``: Send login view
+* ``two_factor_setup_context_processor``: Two factor setup view
+* ``two_factor_token_validation_context_processor``: Two factor token validation view
 
 
 Forms
@@ -103,7 +108,10 @@ The following is a list of all the available form overrides:
 * ``change_password_form``: Change password form
 * ``send_confirmation_form``: Send confirmation form
 * ``passwordless_login_form``: Passwordless login form
-
+* ``two_factor_verify_code_form``: Two-factor code form
+* ``two_factor_setup_form``: Two-factor setup form
+* ``two_factor_change_method_verify_password_form``: Two-factor password form
+* ``two_factor_rescue_form``: Two-factor help user form
 
 Emails
 ------
@@ -124,6 +132,10 @@ The following is a list of email templates:
 * `security/email/reset_notice.txt`
 * `security/email/welcome.html`
 * `security/email/welcome.txt`
+* `security/email/two_factor_instructions.html`
+* `security/email/two_factor_instructions.txt`
+* `security/email/two_factor_rescue.html`
+* `security/email/two_factor_rescue.txt`
 
 Overriding these templates is simple:
 

docs/features.rst

@@ -61,6 +61,24 @@ Thus if the user changes his or her password their existing authentication token
 will become invalid. A new token will need to be retrieved using the user's new
 password.
 
+Two-factor Authentication (experimental)
+----------------------------------------
+Two-factor authentication is enabled by generating time-based one time passwords
+(Tokens). The tokens are generated using the users totp secret, which is unique
+per user, and is generated both on first login, and when changing the two-factor
+method.(Doing this causes the previous totp secret to become invalid) The token
+is provided by one of 3 methods - email, sms (service is not provided), or
+Google Authenticator. By default, tokens provided by google authenticator are
+valid for 30 seconds, tokens sent by mail for up to 1 minute and tokens sent by
+sms for up to 3 minutes. The QR code used to supply Google Authenticator with
+the secret is generated using the PyQRCode library.
+This feature is marked experimental meaning that backwards incompatible changes
+might occur during minor releases. While the feature is operational, it has these
+known limitations:
+
+    * Limited and incomplete JSON support
+    * Incomplete i18n support
+    * Not enough documentation to use w/o looking at code
 
 Email Confirmation
 ------------------
@@ -118,6 +136,8 @@ JSON is supported for the following operations:
 * Confirmation requests
 * Forgot password requests
 * Passwordless login requests
+* Two-factor login requests
+* Change two-factor method requests
 
 In addition, Single-Page-Applications (like those built with Vue, Angular, and
 React) are supported via customizable redirect links.
@@ -137,3 +157,5 @@ Run ``flask --help`` and look for users and roles.
 .. _documentation on this topic: http://packages.python.org/Flask-Principal/#granular-resource-protection
 .. _passlib: http://packages.python.org/passlib/
 .. _bcrypt: https://en.wikipedia.org/wiki/Bcrypt
+.. _onetimepass: https://pypi.python.org/pypi/onetimepass/
+.. _PyQRCode: https://pypi.python.org/pypi/PyQRCode/

docs/index.rst

@@ -11,9 +11,10 @@ Flask application. They include:
 5. Token based authentication
 6. Token based account activation (optional)
 7. Token based password recovery / resetting (optional)
-8. User registration (optional)
-9. Login tracking (optional)
-10. JSON/Ajax Support
+8. Two-factor authentication (optional)
+9. User registration (optional)
+10. Login tracking (optional)
+11. JSON/Ajax Support
 
 Many of these features are made possible by integrating various Flask extensions
 and libraries. They include:
@@ -24,6 +25,8 @@ and libraries. They include:
 4. `Flask-WTF <http://packages.python.org/Flask-WTF/>`_
 5. `itsdangerous <http://packages.python.org/itsdangerous/>`_
 6. `passlib <http://packages.python.org/passlib/>`_
+7. `onetimepass <https://pypi.python.org/pypi/onetimepass/>`_
+8. `PyQRCode <https://pypi.python.org/pypi/PyQRCode/>`_
 
 Additionally, it assumes you'll be using a common library for your database
 connections and model definitions. Flask-Security supports the following Flask

docs/models.rst

@@ -15,6 +15,7 @@ your `User` and `Role` model should include the following fields:
 * ``password``
 * ``active``
 
+
 **Role**
 
 * ``id``
@@ -74,3 +75,17 @@ serializable object:
                 'name': self.name,
                 'email': self.email
             }
+
+Two_Factor
+^^^^^^^^^^
+
+If you enable two-factor by setting your application's `TWO_FACTOR`
+configuration value to `True`, your `User` model will require the following
+additional fields:
+
+* ``totp_secret``
+* ``two_factor_primary_method``
+
+If you include 'sms' in SECURITY_TWO_FACTOR_ENABLED_METHOD, your `User` model
+will require the following additional field:
+* ``phone_number``