1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-12-22 07:17:05 +00:00
mailinabox/setup
Joshua Tauberer 6a979f4f52
Add TOTP two-factor authentication to admin panel login (#1814)
* add user interface for managing 2fa

* update user schema with 2fa columns

* implement two factor check during login

* Use pyotp for validating TOTP codes

* also implements resynchronisation support via `pyotp`'s `valid_window option

* Update API route naming, update setup page

* Rename /two-factor-auth/ => /2fa/
* Nest totp routes under /2fa/totp/
* Update ids and methods in panel to allow for different setup types

* Autofocus otp input when logging in, update layout

* Extract TOTPStrategy class to totp.py

* this decouples `TOTP` validation and storage logic from `auth` and moves it to `totp`
* reduce `pyotp.validate#valid_window` from `2` to `1`

* Update OpenApi docs, rename /2fa/ => /mfa/

* Decouple totp from users table by moving to totp_credentials table

* this allows implementation of other mfa schemes in the future (webauthn)
* also makes key management easier and enforces one totp credentials per user on db-level

* Add sqlite migration

* Rename internal validate_two_factor_secret => validate_two_factor_secret

* conn.close() if mru_token update can't .commit()

* Address review feedback, thanks @hija

* Use hmac.compare_digest() to compare mru_token

* Safeguard against empty mru_token column

* hmac.compare_digest() expects arguments of type string, make sure we don't pass None
 * Currently, this cannot happen but we might not want to store `mru_token` during setup

* Do not log failed login attempts for MissingToken errors

* Due to the way that the /login UI works, this persists at least one failed login each time a user logs into the admin panel. This in turn triggers fail2ban at some point.

* Add TOTP secret to user_key hash

thanks @downtownallday
* this invalidates all user_keys after TOTP status is changed for user
* after changing TOTP state, a login is required
* due to the forced login, we can't and don't need to store the code used for setup in `mru_code`

* Typo

* Reorganize the MFA backend methods

* Reorganize MFA front-end and add label column

* Fix handling of bad input when enabling mfa

* Update openAPI docs

* Remove unique key constraint on foreign key user_id in mfa table

* Don't expose mru_token and secret for enabled mfas over HTTP

* Only update mru_token for matched mfa row

* Exclude mru_token in user key hash

* Rename tools/mail.py to management/cli.py

* Add MFA list/disable to the management CLI so admins can restore access if MFA device is lost

Co-authored-by: Joshua Tauberer <jt@occams.info>
2020-10-31 10:27:38 -04:00
..
bootstrap.sh v0.50 2020-09-25 07:43:30 -04:00
dkim.sh OpenDKIM canonicalization changed to relaxed for mail headers (#1620) 2019-12-01 16:24:38 -05:00
dns.sh Add a logfile entry to the NSD conf file (#1434) 2018-12-02 18:00:16 -05:00
firstuser.sh Rename tools/mail.py to management/cli.py 2020-10-29 15:41:54 -04:00
functions.sh Add rate limiting of SSH in the firewall (#1770) 2020-06-07 09:47:51 -04:00
mail-dovecot.sh Raise Dovecot per user connection limit (#1799) 2020-07-27 06:37:52 -04:00
mail-postfix.sh Downgrade TLS settings for port 25, partially reverting f53b18ebb9 2020-01-20 14:52:23 -05:00
mail-users.sh Remove unique key constraint on foreign key user_id in mfa table 2020-09-29 19:39:40 +02:00
management.sh Use pyotp for validating TOTP codes 2020-09-02 19:12:15 +02:00
migrate.py Remove unique key constraint on foreign key user_id in mfa table 2020-09-29 19:39:40 +02:00
munin.sh Fix upgrade issue broken by 802e7a1f4d 2019-12-01 17:44:12 -05:00
network-checks.sh prevent apt from asking the user any questions 2015-02-13 13:41:52 +00:00
nextcloud.sh Add TOTP two-factor authentication to admin panel login (#1814) 2020-10-31 10:27:38 -04:00
preflight.sh Better return codes after errors in the setup scripts (#1741) 2020-04-11 14:18:44 -04:00
questions.sh Fix some more $DEFAULT_PUBLIC_IP issues (#1494) 2018-12-26 15:39:47 -05:00
spamassassin.sh Fixed multiple commented add_header entries in /etc/spamassassin/local.cf (#1641) 2019-12-01 16:23:02 -05:00
ssl.sh only set the CN field when generating initial CSR to prevent issues with the php7 ppa version of openssl (#1223) 2017-07-30 08:11:39 -04:00
start.sh MTA-STS tweaks, add status check using postfix-mta-sts-resolver, change to enforce 2020-05-29 15:36:52 -04:00
system.sh [backport] Add rate limiting of SSH in the firewall (#1770) 2020-07-29 10:24:23 -04:00
web.sh MTA-STS tweaks, add status check using postfix-mta-sts-resolver, change to enforce 2020-05-29 15:36:52 -04:00
webmail.sh Update Roundcube to version 1.4.9 (#1830) 2020-10-31 10:01:14 -04:00
zpush.sh Upgrade Roundcube to 1.4.4, Nextcloud to 17.0.6, Z-Push to 2.5.2 2020-05-10 19:44:12 -04:00