diff --git a/Pipfile b/Pipfile index 794af014d..1e79bb604 100644 --- a/Pipfile +++ b/Pipfile @@ -8,7 +8,7 @@ dateparser = "~=1.2" # WARNING: django does not use semver. # Only patch versions are guaranteed to not introduce breaking changes. django = "~=5.1.3" -django-allauth = {extras = ["socialaccount"], version = "*"} +django-allauth = {extras = ["mfa", "socialaccount"], version = "*"} django-auditlog = "*" django-celery-results = "*" django-compression-middleware = "*" diff --git a/Pipfile.lock b/Pipfile.lock index 9377e3575..063ec2389 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "dccf58aea1ba4c0aa4aa93c1cc13881229889db25bc6e5b2384413a7e7e85182" + "sha256": "5a7cb70103e8f3931682c73432290f2f4ec2ba06395c8ec076d2d5449c4ff0dd" }, "pipfile-spec": 6, "requires": {}, @@ -522,6 +522,7 @@ }, "django-allauth": { "extras": [ + "mfa", "socialaccount" ], "hashes": [ @@ -641,6 +642,13 @@ "markers": "python_version >= '3.7'", "version": "==1.2.2" }, + "fido2": { + "hashes": [ + "sha256:26100f226d12ced621ca6198528ce17edf67b78df4287aee1285fee3cd5aa9fc", + "sha256:6be34c0b9fe85e4911fd2d103cce7ae8ce2f064384a7a2a3bd970b3ef7702931" + ], + "version": "==1.1.3" + }, "filelock": { "hashes": [ "sha256:2082e5703d51fbf98ea75855d9d5527e33d8ff23099bec374a134febee6946b0", @@ -1776,6 +1784,13 @@ "index": "pypi", "version": "==0.1.9" }, + "qrcode": { + "hashes": [ + "sha256:025ce2b150f7fe4296d116ee9bad455a6643ab4f6e7dce541613a4758cbce347", + "sha256:9fc05f03305ad27a709eb742cf3097fa19e6f6f93bb9e2f039c0979190f6f1b1" + ], + "version": "==8.0" + }, "rapidfuzz": { "hashes": [ "sha256:00d02cbd75d283c287471b5b3738b3e05c9096150f93f2d2dfa10b3d700f2db9", diff --git a/docs/usage.md b/docs/usage.md index f853bb7f5..8f22ec3eb 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -299,6 +299,12 @@ In order to enable the password reset feature you will need to setup an SMTP bac [`PAPERLESS_EMAIL_HOST`](configuration.md#PAPERLESS_EMAIL_HOST). If your installation does not have [`PAPERLESS_URL`](configuration.md#PAPERLESS_URL) set, the reset link included in emails will use the server host. +### Two-factor authentication + +Users can enable two-factor authentication (2FA) for their accounts from the 'My Profile' dialog. Opening the dropdown reveals a QR code that can be scanned by a 2FA app (e.g. Google Authenticator) to generate a code. The code must then be entered in the dialog to enable 2FA. If the code is accepted and 2FA is enabled, the user will be shown a set of 10 recovery codes that can be used to login in the event that the 2FA device is lost or unavailable. These codes should be stored securely and cannot be retrieved again. Once enabled, users will be required to enter a code from their 2FA app when logging in. + +Should a user lose access to their 2FA device and all recovery codes, a superuser can disable 2FA for the user from the 'Users & Groups' management screen. + ## Workflows !!! note diff --git a/src-ui/messages.xlf b/src-ui/messages.xlf index b9aa4e03e..e988a39cb 100644 --- a/src-ui/messages.xlf +++ b/src-ui/messages.xlf @@ -520,6 +520,10 @@ src/app/components/admin/config/config.component.html 34 + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 124 + Discard @@ -576,7 +580,7 @@ src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html - 43 + 57 src/app/components/common/edit-dialog/workflow-edit-dialog/workflow-edit-dialog.component.html @@ -584,7 +588,7 @@ src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 99 + 184 src/app/components/document-detail/document-detail.component.html @@ -712,6 +716,14 @@ src/app/components/common/permissions-dialog/permissions-dialog.component.html 23 + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 111 + + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 127 + src/app/components/common/system-status-dialog/system-status-dialog.component.html 10 @@ -1095,7 +1107,7 @@ src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html - 37 + 51 src/app/components/common/input/permissions/permissions-form/permissions-form.component.html @@ -1707,7 +1719,7 @@ src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html - 42 + 56 src/app/components/common/edit-dialog/workflow-edit-dialog/workflow-edit-dialog.component.html @@ -1719,7 +1731,7 @@ src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 98 + 183 src/app/components/common/select-dialog/select-dialog.component.html @@ -2514,7 +2526,7 @@ src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts - 159 + 173 @@ -2917,21 +2929,21 @@ Sidebar views updated src/app/components/app-frame/app-frame.component.ts - 208 + 209 Error updating sidebar views src/app/components/app-frame/app-frame.component.ts - 211 + 212 An error occurred while saving update checking settings. src/app/components/app-frame/app-frame.component.ts - 232 + 233 @@ -3720,7 +3732,7 @@ src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 18 + 20 @@ -4263,7 +4275,7 @@ src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 8 + 10 @@ -4274,7 +4286,7 @@ src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 28 + 30 @@ -4285,7 +4297,7 @@ src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 29 + 31 @@ -4323,18 +4335,70 @@ 30 + + Two-factor Authentication + + src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html + 37 + + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 104 + + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 138 + + + + Disable Two-factor Authentication + + src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html + 39 + + + src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html + 41 + + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 169 + + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 171 + + Create new user account src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.ts - 44 + 49 Edit user account src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.ts - 48 + 53 + + + + Totp deactivated + + src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.ts + 109 + + + + Totp deactivation failed + + src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.ts + 112 + + + src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.ts + 117 @@ -5151,32 +5215,36 @@ Confirm Email src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 13 + 15 Confirm Password src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 23 + 25 API Auth Token src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 31 + 33 Copy src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 35 + 37 src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 42 + 44 + + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 156 src/app/components/common/share-links-dropdown/share-links-dropdown.component.html @@ -5207,14 +5275,18 @@ Regenerate auth token src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 45 + 47 Copied! src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 53 + 55 + + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 163 src/app/components/common/share-links-dropdown/share-links-dropdown.component.html @@ -5225,91 +5297,176 @@ Warning: changing the token cannot be undone src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 55 + 57 Connected social accounts src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 59 + 63 Set a password before disconnecting social account. src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 63 + 67 Disconnect src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 69 + 73 Disconnect social account src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 71 + 75 Warning: disconnecting social accounts cannot be undone src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 81 + 85 Connect new social account src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html - 86 + 90 + + + + Scan the QR code with your authenticator app and then enter the code below + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 115 + + + + Authenticator secret + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 118 + + + + You can store this secret and use it to reinstall your authenticator app at a later time. + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 119 + + + + Code + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 122 + + + + Recovery codes will not be shown again, make sure to save them. + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 141 + + + + Copy codes + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html + 159 Emails must match src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts - 108 + 121 Passwords must match src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts - 136 + 149 Profile updated successfully src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts - 156 + 170 Error saving profile src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts - 168 + 182 Error generating auth token src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts - 185 + 199 Error disconnecting social account src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts - 210 + 224 + + + + Error fetching TOTP settings + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts + 243 + + + + TOTP activated successfully + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts + 263 + + + + Error activating TOTP + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts + 265 + + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts + 271 + + + + TOTP deactivated successfully + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts + 287 + + + + Error deactivating TOTP + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts + 289 + + + src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts + 294 diff --git a/src-ui/src/app/components/app-frame/app-frame.component.spec.ts b/src-ui/src/app/components/app-frame/app-frame.component.spec.ts index 1354a187e..f440946da 100644 --- a/src-ui/src/app/components/app-frame/app-frame.component.spec.ts +++ b/src-ui/src/app/components/app-frame/app-frame.component.spec.ts @@ -343,6 +343,7 @@ describe('AppFrameComponent', () => { component.editProfile() expect(modalSpy).toHaveBeenCalledWith(ProfileEditDialogComponent, { backdrop: 'static', + size: 'xl', }) }) diff --git a/src-ui/src/app/components/app-frame/app-frame.component.ts b/src-ui/src/app/components/app-frame/app-frame.component.ts index df6ac65a2..83d927562 100644 --- a/src-ui/src/app/components/app-frame/app-frame.component.ts +++ b/src-ui/src/app/components/app-frame/app-frame.component.ts @@ -136,6 +136,7 @@ export class AppFrameComponent editProfile() { this.modalService.open(ProfileEditDialogComponent, { backdrop: 'static', + size: 'xl', }) this.closeMenu() } diff --git a/src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html b/src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html index ca834a3ad..a2b3db67d 100644 --- a/src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html +++ b/src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html @@ -32,6 +32,20 @@ + + @if (object?.is_mfa_enabled && currentUserIsSuperUser) { + + + + }
diff --git a/src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.spec.ts b/src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.spec.ts index 96a0044fe..5adaf3388 100644 --- a/src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.spec.ts +++ b/src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.spec.ts @@ -7,7 +7,7 @@ import { } from '@angular/forms' import { NgbActiveModal, NgbModule } from '@ng-bootstrap/ng-bootstrap' import { NgSelectModule } from '@ng-select/ng-select' -import { of } from 'rxjs' +import { of, throwError } from 'rxjs' import { IfOwnerDirective } from 'src/app/directives/if-owner.directive' import { IfPermissionsDirective } from 'src/app/directives/if-permissions.directive' import { GroupService } from 'src/app/services/rest/group.service' @@ -21,10 +21,15 @@ import { EditDialogMode } from '../edit-dialog.component' import { UserEditDialogComponent } from './user-edit-dialog.component' import { provideHttpClient, withInterceptorsFromDi } from '@angular/common/http' import { NgxBootstrapIconsModule, allIcons } from 'ngx-bootstrap-icons' +import { ToastService } from 'src/app/services/toast.service' +import { UserService } from 'src/app/services/rest/user.service' +import { PermissionsService } from 'src/app/services/permissions.service' describe('UserEditDialogComponent', () => { let component: UserEditDialogComponent let settingsService: SettingsService + let permissionsService: PermissionsService + let toastService: ToastService let fixture: ComponentFixture beforeEach(async () => { @@ -71,6 +76,8 @@ describe('UserEditDialogComponent', () => { fixture = TestBed.createComponent(UserEditDialogComponent) settingsService = TestBed.inject(SettingsService) settingsService.currentUser = { id: 99, username: 'user99' } + permissionsService = TestBed.inject(PermissionsService) + toastService = TestBed.inject(ToastService) component = fixture.componentInstance fixture.detectChanges() @@ -121,4 +128,38 @@ describe('UserEditDialogComponent', () => { component.save() expect(component.passwordIsSet).toBeTruthy() }) + + it('should support deactivation of TOTP', () => { + component.object = { id: 99, username: 'user99' } + const deactivateSpy = jest.spyOn( + component['service'] as UserService, + 'deactivateTotp' + ) + const toastErrorSpy = jest.spyOn(toastService, 'showError') + const toastInfoSpy = jest.spyOn(toastService, 'showInfo') + deactivateSpy.mockReturnValueOnce(throwError(() => new Error('error'))) + component.deactivateTotp() + expect(deactivateSpy).toHaveBeenCalled() + expect(toastErrorSpy).toHaveBeenCalled() + + deactivateSpy.mockReturnValueOnce(of(false)) + component.deactivateTotp() + expect(deactivateSpy).toHaveBeenCalled() + expect(toastErrorSpy).toHaveBeenCalled() + + deactivateSpy.mockReturnValueOnce(of(true)) + component.deactivateTotp() + expect(deactivateSpy).toHaveBeenCalled() + expect(toastInfoSpy).toHaveBeenCalled() + }) + + it('should check superuser status of current user', () => { + expect(component.currentUserIsSuperUser).toBeFalsy() + permissionsService.initialize([], { + id: 99, + username: 'user99', + is_superuser: true, + }) + expect(component.currentUserIsSuperUser).toBeTruthy() + }) }) diff --git a/src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.ts b/src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.ts index baadfa541..acd327d3a 100644 --- a/src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.ts +++ b/src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.ts @@ -5,9 +5,11 @@ import { first } from 'rxjs' import { EditDialogComponent } from 'src/app/components/common/edit-dialog/edit-dialog.component' import { Group } from 'src/app/data/group' import { User } from 'src/app/data/user' +import { PermissionsService } from 'src/app/services/permissions.service' import { GroupService } from 'src/app/services/rest/group.service' import { UserService } from 'src/app/services/rest/user.service' import { SettingsService } from 'src/app/services/settings.service' +import { ToastService } from 'src/app/services/toast.service' @Component({ selector: 'pngx-user-edit-dialog', @@ -20,12 +22,15 @@ export class UserEditDialogComponent { groups: Group[] passwordIsSet: boolean = false + public totpLoading: boolean = false constructor( service: UserService, activeModal: NgbActiveModal, groupsService: GroupService, - settingsService: SettingsService + settingsService: SettingsService, + private toastService: ToastService, + private permissionsService: PermissionsService ) { super(service, activeModal, service, settingsService) @@ -87,4 +92,30 @@ export class UserEditDialogComponent .length > 0 super.save() } + + get currentUserIsSuperUser(): boolean { + return this.permissionsService.isSuperUser() + } + + deactivateTotp() { + this.totpLoading = true + ;(this.service as UserService) + .deactivateTotp(this.object) + .pipe(first()) + .subscribe({ + next: (result) => { + this.totpLoading = false + if (result) { + this.toastService.showInfo($localize`Totp deactivated`) + this.object.is_mfa_enabled = false + } else { + this.toastService.showError($localize`Totp deactivation failed`) + } + }, + error: (e) => { + this.totpLoading = false + this.toastService.showError($localize`Totp deactivation failed`, e) + }, + }) + } } diff --git a/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html b/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html index 713d68864..f9d57baf3 100644 --- a/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html +++ b/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html @@ -5,94 +5,179 @@
- -
-
-
-
- +
+
+ +
+
+
+
+ +
+
-
-
- -
-
-
-
- + +
+
+
+
+ +
+
-
-
- - -
- -
-
- - - - -
- Copied! -
-
Warning: changing the token cannot be undone
-
- @if (socialAccounts?.length > 0) { + +
-

Connected social accounts

-
    - @for (account of socialAccounts; track account.id) { -
  • - {{account.name}} ({{account.provider}}) + +
    +
    + + + (confirm)="generateAuthToken()"> -
    • - } -
-
Warning: disconnecting social accounts cannot be undone
-
- } - @if (socialAccountProviders?.length > 0) { -
-

Connect new social account

-
- @for (provider of socialAccountProviders; track provider.name) { - - {{provider.name}}  - - } +
+ Copied! +
+
Warning: changing the token cannot be undone
-
- } +
+
+ @if (socialAccounts?.length > 0) { +
+

Connected social accounts

+
    + @for (account of socialAccounts; track account.id) { +
  • + {{account.name}} ({{account.provider}}) + + +
    • + } +
+
Warning: disconnecting social accounts cannot be undone
+
+ } + @if (socialAccountProviders?.length > 0) { +
+

Connect new social account

+
+ @for (provider of socialAccountProviders; track provider.name) { + + {{provider.name}}  + + } +
+
+ } + @if (!isTotpEnabled) { +
+
+

+ +

+
+
+ + @if (totpSettingsLoading) { + + + } @else if (totpSettings) { +
+
+
Scan the QR code with your authenticator app and then enter the code below
+
+

+ Authenticator secret: {{totpSettings.secret}}. + You can store this secret and use it to reinstall your authenticator app at a later time. +

+
+ + +
+ } + +
+
+
+
+ } @else { + + @if (recoveryCodes) { + +
+
    + @for (code of recoveryCodes; track code; let i = $index) { + @if (i % 2 === 0) { +
  • + {{code}} + @if (recoveryCodes[i + 1]) { + {{recoveryCodes[i + 1]}} + } +
    • + } + } +
+ +
+ } + + + } +
+
diff --git a/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.spec.ts b/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.spec.ts index d0af0f2ad..aa793941e 100644 --- a/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.spec.ts +++ b/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.spec.ts @@ -294,4 +294,85 @@ describe('ProfileEditDialogComponent', () => { expect(disconnectSpy).toHaveBeenCalled() expect(component.socialAccounts).not.toContainEqual(socialAccount) }) + + it('should get totp settings', () => { + const settings = { + url: 'http://localhost/', + qr_svg: 'svg', + secret: 'secret', + } + const getSpy = jest.spyOn(profileService, 'getTotpSettings') + const toastSpy = jest.spyOn(toastService, 'showError') + getSpy.mockReturnValueOnce( + throwError(() => new Error('failed to get settings')) + ) + component.gettotpSettings() + expect(getSpy).toHaveBeenCalled() + expect(toastSpy).toHaveBeenCalled() + + getSpy.mockReturnValue(of(settings)) + component.gettotpSettings() + expect(getSpy).toHaveBeenCalled() + expect(component.totpSettings).toEqual(settings) + }) + + it('should activate totp', () => { + const activateSpy = jest.spyOn(profileService, 'activateTotp') + const toastErrorSpy = jest.spyOn(toastService, 'showError') + const toastInfoSpy = jest.spyOn(toastService, 'showInfo') + const error = new Error('failed to activate totp') + activateSpy.mockReturnValueOnce(throwError(() => error)) + component.totpSettings = { + url: 'http://localhost/', + qr_svg: 'svg', + secret: 'secret', + } + component.form.get('totp_code').patchValue('123456') + component.activateTotp() + expect(activateSpy).toHaveBeenCalledWith( + component.totpSettings.secret, + component.form.get('totp_code').value + ) + expect(toastErrorSpy).toHaveBeenCalled() + + activateSpy.mockReturnValueOnce(of({ success: false, recovery_codes: [] })) + component.activateTotp() + expect(toastErrorSpy).toHaveBeenCalledWith('Error activating TOTP', error) + + activateSpy.mockReturnValueOnce( + of({ success: true, recovery_codes: ['1', '2', '3'] }) + ) + component.activateTotp() + expect(toastInfoSpy).toHaveBeenCalled() + expect(component.isTotpEnabled).toBeTruthy() + expect(component.recoveryCodes).toEqual(['1', '2', '3']) + }) + + it('should deactivate totp', () => { + const deactivateSpy = jest.spyOn(profileService, 'deactivateTotp') + const toastErrorSpy = jest.spyOn(toastService, 'showError') + const toastInfoSpy = jest.spyOn(toastService, 'showInfo') + const error = new Error('failed to deactivate totp') + deactivateSpy.mockReturnValueOnce(throwError(() => error)) + component.deactivateTotp() + expect(deactivateSpy).toHaveBeenCalled() + expect(toastErrorSpy).toHaveBeenCalled() + + deactivateSpy.mockReturnValueOnce(of(false)) + component.deactivateTotp() + expect(toastErrorSpy).toHaveBeenCalledWith('Error deactivating TOTP', error) + + deactivateSpy.mockReturnValueOnce(of(true)) + component.deactivateTotp() + expect(toastInfoSpy).toHaveBeenCalled() + expect(component.isTotpEnabled).toBeFalsy() + }) + + it('should copy recovery codes', fakeAsync(() => { + const copySpy = jest.spyOn(clipboard, 'copy') + component.recoveryCodes = ['1', '2', '3'] + component.copyRecoveryCodes() + expect(copySpy).toHaveBeenCalledWith('1\n2\n3') + tick(3000) + })) }) diff --git a/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts b/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts index 77cba4505..a4dbaf7d6 100644 --- a/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts +++ b/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts @@ -2,7 +2,11 @@ import { Component, OnDestroy, OnInit } from '@angular/core' import { FormControl, FormGroup } from '@angular/forms' import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap' import { ProfileService } from 'src/app/services/profile.service' -import { SocialAccount, SocialAccountProvider } from 'src/app/data/user-profile' +import { + TotpSettings, + SocialAccount, + SocialAccountProvider, +} from 'src/app/data/user-profile' import { ToastService } from 'src/app/services/toast.service' import { Subject, takeUntil } from 'rxjs' import { Clipboard } from '@angular/cdk/clipboard' @@ -25,6 +29,7 @@ export class ProfileEditDialogComponent implements OnInit, OnDestroy { first_name: new FormControl(''), last_name: new FormControl(''), auth_token: new FormControl(''), + totp_code: new FormControl(''), }) private currentPassword: string @@ -38,7 +43,14 @@ export class ProfileEditDialogComponent implements OnInit, OnDestroy { private emailConfirm: string public showEmailConfirm: boolean = false + public isTotpEnabled: boolean = false + public totpSettings: TotpSettings + public totpSettingsLoading: boolean = false + public totpLoading: boolean = false + public recoveryCodes: string[] + public copied: boolean = false + public codesCopied: boolean = false public socialAccounts: SocialAccount[] = [] public socialAccountProviders: SocialAccountProvider[] = [] @@ -70,6 +82,7 @@ export class ProfileEditDialogComponent implements OnInit, OnDestroy { this.onPasswordChange() }) this.socialAccounts = profile.social_accounts + this.isTotpEnabled = profile.is_mfa_enabled }) this.profileService @@ -147,6 +160,7 @@ export class ProfileEditDialogComponent implements OnInit, OnDestroy { const passwordChanged = this.newPassword && this.currentPassword !== this.newPassword const profile = Object.assign({}, this.form.value) + delete profile.totp_code this.networkActive = true this.profileService .update(profile) @@ -213,4 +227,81 @@ export class ProfileEditDialogComponent implements OnInit, OnDestroy { }, }) } + + public gettotpSettings(): void { + this.totpSettingsLoading = true + this.profileService + .getTotpSettings() + .pipe(takeUntil(this.unsubscribeNotifier)) + .subscribe({ + next: (totpSettings) => { + this.totpSettingsLoading = false + this.totpSettings = totpSettings + }, + error: (error) => { + this.toastService.showError( + $localize`Error fetching TOTP settings`, + error + ) + this.totpSettingsLoading = false + }, + }) + } + + public activateTotp(): void { + this.totpLoading = true + this.form.get('totp_code').disable() + this.profileService + .activateTotp(this.totpSettings.secret, this.form.get('totp_code').value) + .pipe(takeUntil(this.unsubscribeNotifier)) + .subscribe({ + next: (activationResponse) => { + this.totpLoading = false + this.isTotpEnabled = activationResponse.success + this.recoveryCodes = activationResponse.recovery_codes + this.form.get('totp_code').enable() + if (activationResponse.success) { + this.toastService.showInfo($localize`TOTP activated successfully`) + } else { + this.toastService.showError($localize`Error activating TOTP`) + } + }, + error: (error) => { + this.totpLoading = false + this.form.get('totp_code').enable() + this.toastService.showError($localize`Error activating TOTP`, error) + }, + }) + } + + public deactivateTotp(): void { + this.totpLoading = true + this.profileService + .deactivateTotp() + .pipe(takeUntil(this.unsubscribeNotifier)) + .subscribe({ + next: (success) => { + this.totpLoading = false + this.isTotpEnabled = !success + this.recoveryCodes = null + if (success) { + this.toastService.showInfo($localize`TOTP deactivated successfully`) + } else { + this.toastService.showError($localize`Error deactivating TOTP`) + } + }, + error: (error) => { + this.totpLoading = false + this.toastService.showError($localize`Error deactivating TOTP`, error) + }, + }) + } + + public copyRecoveryCodes(): void { + this.clipboard.copy(this.recoveryCodes.join('\n')) + this.codesCopied = true + setTimeout(() => { + this.codesCopied = false + }, 3000) + } } diff --git a/src-ui/src/app/data/user-profile.ts b/src-ui/src/app/data/user-profile.ts index 554f6f0e1..a07163233 100644 --- a/src-ui/src/app/data/user-profile.ts +++ b/src-ui/src/app/data/user-profile.ts @@ -17,4 +17,11 @@ export interface PaperlessUserProfile { auth_token?: string social_accounts?: SocialAccount[] has_usable_password?: boolean + is_mfa_enabled?: boolean +} + +export interface TotpSettings { + url: string + qr_svg: string + secret: string } diff --git a/src-ui/src/app/data/user.ts b/src-ui/src/app/data/user.ts index 49216a274..6bf051c25 100644 --- a/src-ui/src/app/data/user.ts +++ b/src-ui/src/app/data/user.ts @@ -11,4 +11,5 @@ export interface User extends ObjectWithId { groups?: number[] // Group[] user_permissions?: string[] inherited_permissions?: string[] + is_mfa_enabled?: boolean } diff --git a/src-ui/src/app/services/permissions.service.spec.ts b/src-ui/src/app/services/permissions.service.spec.ts index f4e01945e..ecbdb6f1b 100644 --- a/src-ui/src/app/services/permissions.service.spec.ts +++ b/src-ui/src/app/services/permissions.service.spec.ts @@ -439,4 +439,25 @@ describe('PermissionsService', () => { expect(permissionsService.isAdmin()).toBeFalsy() }) + + it('correctly checks superuser status', () => { + permissionsService.initialize([], { + username: 'testuser', + last_name: 'User', + first_name: 'Test', + id: 1, + is_superuser: true, + }) + + expect(permissionsService.isSuperUser()).toBeTruthy() + + permissionsService.initialize([], { + username: 'testuser', + last_name: 'User', + first_name: 'Test', + id: 1, + }) + + expect(permissionsService.isSuperUser()).toBeFalsy() + }) }) diff --git a/src-ui/src/app/services/permissions.service.ts b/src-ui/src/app/services/permissions.service.ts index c80bc763d..3d88b10cc 100644 --- a/src-ui/src/app/services/permissions.service.ts +++ b/src-ui/src/app/services/permissions.service.ts @@ -56,6 +56,10 @@ export class PermissionsService { return this.currentUser?.is_staff } + public isSuperUser(): boolean { + return this.currentUser?.is_superuser + } + public currentUserOwnsObject(object: ObjectWithPermissions): boolean { return ( !object || diff --git a/src-ui/src/app/services/profile.service.spec.ts b/src-ui/src/app/services/profile.service.spec.ts index beb7e9ad5..b7b85ee35 100644 --- a/src-ui/src/app/services/profile.service.spec.ts +++ b/src-ui/src/app/services/profile.service.spec.ts @@ -72,4 +72,32 @@ describe('ProfileService', () => { ) expect(req.request.method).toEqual('GET') }) + + it('calls get totp settings endpoint', () => { + service.getTotpSettings().subscribe() + const req = httpTestingController.expectOne( + `${environment.apiBaseUrl}profile/totp/` + ) + expect(req.request.method).toEqual('GET') + }) + + it('calls activate totp endpoint', () => { + service.activateTotp('secret', 'code').subscribe() + const req = httpTestingController.expectOne( + `${environment.apiBaseUrl}profile/totp/` + ) + expect(req.request.method).toEqual('POST') + expect(req.request.body).toEqual({ + secret: 'secret', + code: 'code', + }) + }) + + it('calls deactivate totp endpoint', () => { + service.deactivateTotp().subscribe() + const req = httpTestingController.expectOne( + `${environment.apiBaseUrl}profile/totp/` + ) + expect(req.request.method).toEqual('DELETE') + }) }) diff --git a/src-ui/src/app/services/profile.service.ts b/src-ui/src/app/services/profile.service.ts index 32e06cce0..09839d012 100644 --- a/src-ui/src/app/services/profile.service.ts +++ b/src-ui/src/app/services/profile.service.ts @@ -2,6 +2,7 @@ import { HttpClient } from '@angular/common/http' import { Injectable } from '@angular/core' import { Observable } from 'rxjs' import { + TotpSettings, PaperlessUserProfile, SocialAccountProvider, } from '../data/user-profile' @@ -47,4 +48,30 @@ export class ProfileService { `${environment.apiBaseUrl}${this.endpoint}/social_account_providers/` ) } + + getTotpSettings(): Observable { + return this.http.get( + `${environment.apiBaseUrl}${this.endpoint}/totp/` + ) + } + + activateTotp( + totpSecret: string, + totpCode: string + ): Observable<{ success: boolean; recovery_codes: string[] }> { + return this.http.post<{ success: boolean; recovery_codes: string[] }>( + `${environment.apiBaseUrl}${this.endpoint}/totp/`, + { + secret: totpSecret, + code: totpCode, + } + ) + } + + deactivateTotp(): Observable { + return this.http.delete( + `${environment.apiBaseUrl}${this.endpoint}/totp/`, + {} + ) + } } diff --git a/src-ui/src/app/services/rest/user.service.spec.ts b/src-ui/src/app/services/rest/user.service.spec.ts index acf66340a..3fd682d4e 100644 --- a/src-ui/src/app/services/rest/user.service.spec.ts +++ b/src-ui/src/app/services/rest/user.service.spec.ts @@ -160,6 +160,18 @@ const user = { commonAbstractNameFilterPaperlessServiceTests(endpoint, UserService) describe('Additional service tests for UserService', () => { + beforeEach(() => { + // Dont need to setup again + + httpTestingController = TestBed.inject(HttpTestingController) + service = TestBed.inject(UserService) + }) + + afterEach(() => { + subscription?.unsubscribe() + httpTestingController.verify() + }) + it('should retain permissions on update', () => { subscription = service.listAll().subscribe() let req = httpTestingController.expectOne( @@ -179,15 +191,11 @@ describe('Additional service tests for UserService', () => { ) }) - beforeEach(() => { - // Dont need to setup again - - httpTestingController = TestBed.inject(HttpTestingController) - service = TestBed.inject(UserService) - }) - - afterEach(() => { - subscription?.unsubscribe() - httpTestingController.verify() + it('should deactivate totp', () => { + subscription = service.deactivateTotp(user).subscribe() + const req = httpTestingController.expectOne( + `${environment.apiBaseUrl}${endpoint}/${user.id}/deactivate_totp/` + ) + expect(req.request.method).toEqual('POST') }) }) diff --git a/src-ui/src/app/services/rest/user.service.ts b/src-ui/src/app/services/rest/user.service.ts index 4fb02b1f7..ded7ae248 100644 --- a/src-ui/src/app/services/rest/user.service.ts +++ b/src-ui/src/app/services/rest/user.service.ts @@ -5,6 +5,7 @@ import { User } from 'src/app/data/user' import { PermissionsService } from '../permissions.service' import { AbstractNameFilterService } from './abstract-name-filter-service' +const endpoint = 'users' @Injectable({ providedIn: 'root', }) @@ -13,7 +14,7 @@ export class UserService extends AbstractNameFilterService { http: HttpClient, private permissionService: PermissionsService ) { - super(http, 'users') + super(http, endpoint) } update(o: User): Observable { @@ -31,4 +32,11 @@ export class UserService extends AbstractNameFilterService { }) ) } + + deactivateTotp(u: User): Observable { + return this.http.post( + `${this.getResourceUrl(u.id, 'deactivate_totp')}`, + null + ) + } } diff --git a/src/documents/management/commands/document_exporter.py b/src/documents/management/commands/document_exporter.py index 79d7cca6f..f49008cc7 100644 --- a/src/documents/management/commands/document_exporter.py +++ b/src/documents/management/commands/document_exporter.py @@ -8,6 +8,7 @@ from pathlib import Path from typing import TYPE_CHECKING import tqdm +from allauth.mfa.models import Authenticator from allauth.socialaccount.models import SocialAccount from allauth.socialaccount.models import SocialApp from allauth.socialaccount.models import SocialToken @@ -270,6 +271,7 @@ class Command(CryptMixin, BaseCommand): "social_accounts": SocialAccount.objects.all(), "social_apps": SocialApp.objects.all(), "social_tokens": SocialToken.objects.all(), + "authenticators": Authenticator.objects.all(), } if settings.AUDIT_LOG_ENABLED: diff --git a/src/documents/templates/mfa/authenticate.html b/src/documents/templates/mfa/authenticate.html new file mode 100644 index 000000000..e6d54b8fb --- /dev/null +++ b/src/documents/templates/mfa/authenticate.html @@ -0,0 +1,35 @@ +{% extends "paperless-ngx/base.html" %} +{% load i18n %} +{% load allauth %} +{% load allauth static %} + +{% block head_title %} + {% trans "Paperless-ngx Two-Factor Authentication" %} +{% endblock head_title %} + +{% block form_top_content %} +

+ {% blocktranslate %}Your account is protected by two-factor authentication. Please enter an authenticator code:{% endblocktranslate %} +

+{% endblock form_top_content %} + +{% block form_content %} +{% translate "Code" as i18n_code %} +
+ + +
+
+ + +
+{% endblock form_content %} + +{% block after_form_content %} +
+ +{% csrf_token %} +
+{% endblock after_form_content %} diff --git a/src/documents/tests/test_api_permissions.py b/src/documents/tests/test_api_permissions.py index 7708b8541..eeea830cb 100644 --- a/src/documents/tests/test_api_permissions.py +++ b/src/documents/tests/test_api_permissions.py @@ -1,5 +1,6 @@ import json +from allauth.mfa.models import Authenticator from django.contrib.auth.models import Group from django.contrib.auth.models import Permission from django.contrib.auth.models import User @@ -601,6 +602,59 @@ class TestApiUser(DirectoriesMixin, APITestCase): self.assertEqual(returned_user2.first_name, "Updated Name 2") self.assertNotEqual(returned_user2.password, initial_password) + def test_deactivate_totp(self): + """ + GIVEN: + - Existing user account with TOTP enabled + WHEN: + - API request by a superuser is made to deactivate TOTP + - API request by a regular user is made to deactivate TOTP + THEN: + - TOTP is deactivated, if exists + - Regular user is forbidden from deactivating TOTP + """ + + user1 = User.objects.create( + username="testuser", + password="test", + first_name="Test", + last_name="User", + ) + Authenticator.objects.create( + user=user1, + type=Authenticator.Type.TOTP, + data={}, + ) + + response = self.client.post( + f"{self.ENDPOINT}{user1.pk}/deactivate_totp/", + ) + + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertEqual(Authenticator.objects.filter(user=user1).count(), 0) + + # fail if already deactivated + response = self.client.post( + f"{self.ENDPOINT}{user1.pk}/deactivate_totp/", + ) + self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND) + + regular_user = User.objects.create_user(username="regular_user") + regular_user.user_permissions.add( + *Permission.objects.all(), + ) + self.client.force_authenticate(regular_user) + Authenticator.objects.create( + user=user1, + type=Authenticator.Type.TOTP, + data={}, + ) + + response = self.client.post( + f"{self.ENDPOINT}{user1.pk}/deactivate_totp/", + ) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + class TestApiGroup(DirectoriesMixin, APITestCase): ENDPOINT = "/api/groups/" diff --git a/src/documents/tests/test_api_profile.py b/src/documents/tests/test_api_profile.py index eede0d2b0..1075a0af8 100644 --- a/src/documents/tests/test_api_profile.py +++ b/src/documents/tests/test_api_profile.py @@ -1,5 +1,6 @@ from unittest import mock +from allauth.mfa.models import Authenticator from allauth.socialaccount.models import SocialAccount from allauth.socialaccount.models import SocialApp from django.contrib.auth.models import User @@ -299,3 +300,82 @@ class TestApiProfile(DirectoriesMixin, APITestCase): len(self.user.socialaccount_set.filter(pk=social_account_id)), 0, ) + + +class TestApiTOTPViews(APITestCase): + ENDPOINT = "/api/profile/totp/" + + def setUp(self): + super().setUp() + + self.user = User.objects.create_superuser(username="temp_admin") + self.client.force_authenticate(user=self.user) + + def test_get_totp(self): + """ + GIVEN: + - Existing user account + WHEN: + - API request is made to TOTP endpoint + THEN: + - TOTP is generated + """ + response = self.client.get( + self.ENDPOINT, + ) + + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertIn("qr_svg", response.data) + self.assertIn("secret", response.data) + + @mock.patch("allauth.mfa.totp.internal.auth.validate_totp_code") + def test_activate_totp(self, mock_validate_totp_code): + """ + GIVEN: + - Existing user account + WHEN: + - API request is made to activate TOTP + THEN: + - TOTP is activated, recovery codes are returned + """ + mock_validate_totp_code.return_value = True + + response = self.client.post( + self.ENDPOINT, + data={ + "secret": "123", + "code": "456", + }, + ) + + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertTrue(Authenticator.objects.filter(user=self.user).exists()) + self.assertIn("recovery_codes", response.data) + + def test_deactivate_totp(self): + """ + GIVEN: + - Existing user account with TOTP enabled + WHEN: + - API request is made to deactivate TOTP + THEN: + - TOTP is deactivated + """ + Authenticator.objects.create( + user=self.user, + type=Authenticator.Type.TOTP, + data={}, + ) + + response = self.client.delete( + self.ENDPOINT, + ) + + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertEqual(Authenticator.objects.filter(user=self.user).count(), 0) + + # test fails + response = self.client.delete( + self.ENDPOINT, + ) + self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND) diff --git a/src/locale/en_US/LC_MESSAGES/django.po b/src/locale/en_US/LC_MESSAGES/django.po index 265682f91..0b7b65ab1 100644 --- a/src/locale/en_US/LC_MESSAGES/django.po +++ b/src/locale/en_US/LC_MESSAGES/django.po @@ -2,7 +2,7 @@ msgid "" msgstr "" "Project-Id-Version: paperless-ngx\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2024-10-19 22:56-0700\n" +"POT-Creation-Date: 2024-10-19 23:22-0700\n" "PO-Revision-Date: 2022-02-17 04:17\n" "Last-Translator: \n" "Language-Team: English\n" @@ -1039,6 +1039,7 @@ msgid "Password" msgstr "" #: documents/templates/account/login.html:30 +#: documents/templates/mfa/authenticate.html:23 msgid "Sign in" msgstr "" @@ -1161,6 +1162,24 @@ msgstr "" msgid "Here's a link to the docs." msgstr "" +#: documents/templates/mfa/authenticate.html:7 +msgid "Paperless-ngx Two-Factor Authentication" +msgstr "" + +#: documents/templates/mfa/authenticate.html:12 +msgid "" +"Your account is protected by two-factor authentication. Please enter an " +"authenticator code:" +msgstr "" + +#: documents/templates/mfa/authenticate.html:17 +msgid "Code" +msgstr "" + +#: documents/templates/mfa/authenticate.html:24 +msgid "Cancel" +msgstr "" + #: documents/templates/paperless-ngx/base.html:58 msgid "Share link was not found." msgstr "" @@ -1366,139 +1385,139 @@ msgstr "" msgid "paperless application settings" msgstr "" -#: paperless/settings.py:684 +#: paperless/settings.py:687 msgid "English (US)" msgstr "" -#: paperless/settings.py:685 +#: paperless/settings.py:688 msgid "Arabic" msgstr "" -#: paperless/settings.py:686 +#: paperless/settings.py:689 msgid "Afrikaans" msgstr "" -#: paperless/settings.py:687 +#: paperless/settings.py:690 msgid "Belarusian" msgstr "" -#: paperless/settings.py:688 +#: paperless/settings.py:691 msgid "Bulgarian" msgstr "" -#: paperless/settings.py:689 +#: paperless/settings.py:692 msgid "Catalan" msgstr "" -#: paperless/settings.py:690 +#: paperless/settings.py:693 msgid "Czech" msgstr "" -#: paperless/settings.py:691 +#: paperless/settings.py:694 msgid "Danish" msgstr "" -#: paperless/settings.py:692 +#: paperless/settings.py:695 msgid "German" msgstr "" -#: paperless/settings.py:693 +#: paperless/settings.py:696 msgid "Greek" msgstr "" -#: paperless/settings.py:694 +#: paperless/settings.py:697 msgid "English (GB)" msgstr "" -#: paperless/settings.py:695 +#: paperless/settings.py:698 msgid "Spanish" msgstr "" -#: paperless/settings.py:696 +#: paperless/settings.py:699 msgid "Finnish" msgstr "" -#: paperless/settings.py:697 +#: paperless/settings.py:700 msgid "French" msgstr "" -#: paperless/settings.py:698 +#: paperless/settings.py:701 msgid "Hungarian" msgstr "" -#: paperless/settings.py:699 +#: paperless/settings.py:702 msgid "Italian" msgstr "" -#: paperless/settings.py:700 +#: paperless/settings.py:703 msgid "Japanese" msgstr "" -#: paperless/settings.py:701 +#: paperless/settings.py:704 msgid "Korean" msgstr "" -#: paperless/settings.py:702 +#: paperless/settings.py:705 msgid "Luxembourgish" msgstr "" -#: paperless/settings.py:703 +#: paperless/settings.py:706 msgid "Norwegian" msgstr "" -#: paperless/settings.py:704 +#: paperless/settings.py:707 msgid "Dutch" msgstr "" -#: paperless/settings.py:705 +#: paperless/settings.py:708 msgid "Polish" msgstr "" -#: paperless/settings.py:706 +#: paperless/settings.py:709 msgid "Portuguese (Brazil)" msgstr "" -#: paperless/settings.py:707 +#: paperless/settings.py:710 msgid "Portuguese" msgstr "" -#: paperless/settings.py:708 +#: paperless/settings.py:711 msgid "Romanian" msgstr "" -#: paperless/settings.py:709 +#: paperless/settings.py:712 msgid "Russian" msgstr "" -#: paperless/settings.py:710 +#: paperless/settings.py:713 msgid "Slovak" msgstr "" -#: paperless/settings.py:711 +#: paperless/settings.py:714 msgid "Slovenian" msgstr "" -#: paperless/settings.py:712 +#: paperless/settings.py:715 msgid "Serbian" msgstr "" -#: paperless/settings.py:713 +#: paperless/settings.py:716 msgid "Swedish" msgstr "" -#: paperless/settings.py:714 +#: paperless/settings.py:717 msgid "Turkish" msgstr "" -#: paperless/settings.py:715 +#: paperless/settings.py:718 msgid "Ukrainian" msgstr "" -#: paperless/settings.py:716 +#: paperless/settings.py:719 msgid "Chinese Simplified" msgstr "" -#: paperless/urls.py:254 +#: paperless/urls.py:268 msgid "Paperless-ngx administration" msgstr "" diff --git a/src/paperless/serialisers.py b/src/paperless/serialisers.py index 52f9e2b33..d5acfe465 100644 --- a/src/paperless/serialisers.py +++ b/src/paperless/serialisers.py @@ -1,5 +1,6 @@ import logging +from allauth.mfa.adapter import get_adapter as get_mfa_adapter from allauth.socialaccount.models import SocialAccount from django.contrib.auth.models import Group from django.contrib.auth.models import Permission @@ -32,6 +33,11 @@ class UserSerializer(serializers.ModelSerializer): required=False, ) inherited_permissions = serializers.SerializerMethodField() + is_mfa_enabled = serializers.SerializerMethodField() + + def get_is_mfa_enabled(self, user: User): + mfa_adapter = get_mfa_adapter() + return mfa_adapter.is_mfa_enabled(user) class Meta: model = User @@ -49,6 +55,7 @@ class UserSerializer(serializers.ModelSerializer): "groups", "user_permissions", "inherited_permissions", + "is_mfa_enabled", ) def get_inherited_permissions(self, obj): @@ -130,6 +137,11 @@ class ProfileSerializer(serializers.ModelSerializer): read_only=True, source="socialaccount_set", ) + is_mfa_enabled = serializers.SerializerMethodField() + + def get_is_mfa_enabled(self, user: User): + mfa_adapter = get_mfa_adapter() + return mfa_adapter.is_mfa_enabled(user) class Meta: model = User @@ -141,6 +153,7 @@ class ProfileSerializer(serializers.ModelSerializer): "auth_token", "social_accounts", "has_usable_password", + "is_mfa_enabled", ) diff --git a/src/paperless/settings.py b/src/paperless/settings.py index d6489fa81..e5f31800f 100644 --- a/src/paperless/settings.py +++ b/src/paperless/settings.py @@ -316,6 +316,7 @@ INSTALLED_APPS = [ "allauth", "allauth.account", "allauth.socialaccount", + "allauth.mfa", *env_apps, ] @@ -458,6 +459,8 @@ SOCIALACCOUNT_PROVIDERS = json.loads( os.getenv("PAPERLESS_SOCIALACCOUNT_PROVIDERS", "{}"), ) +MFA_TOTP_ISSUER = "Paperless-ngx" + ACCOUNT_EMAIL_SUBJECT_PREFIX = "[Paperless-ngx] " DISABLE_REGULAR_LOGIN = __get_boolean("PAPERLESS_DISABLE_REGULAR_LOGIN") diff --git a/src/paperless/urls.py b/src/paperless/urls.py index a024c925a..2ebd7e739 100644 --- a/src/paperless/urls.py +++ b/src/paperless/urls.py @@ -1,6 +1,7 @@ import os from allauth.account import views as allauth_account_views +from allauth.mfa.base import views as allauth_mfa_views from allauth.socialaccount import views as allauth_social_account_views from allauth.urls import build_provider_urlpatterns from django.conf import settings @@ -54,6 +55,7 @@ from paperless.views import GenerateAuthTokenView from paperless.views import GroupViewSet from paperless.views import ProfileView from paperless.views import SocialAccountProvidersView +from paperless.views import TOTPView from paperless.views import UserViewSet from paperless_mail.views import MailAccountTestView from paperless_mail.views import MailAccountViewSet @@ -146,19 +148,34 @@ urlpatterns = [ BulkEditObjectsView.as_view(), name="bulk_edit_objects", ), - path("profile/generate_auth_token/", GenerateAuthTokenView.as_view()), - path( - "profile/disconnect_social_account/", - DisconnectSocialAccountView.as_view(), - ), - path( - "profile/social_account_providers/", - SocialAccountProvidersView.as_view(), - ), re_path( "^profile/", - ProfileView.as_view(), - name="profile_view", + include( + [ + path( + "generate_auth_token/", + GenerateAuthTokenView.as_view(), + ), + path( + "disconnect_social_account/", + DisconnectSocialAccountView.as_view(), + ), + path( + "social_account_providers/", + SocialAccountProvidersView.as_view(), + ), + re_path( + "^$", + ProfileView.as_view(), + name="profile_view", + ), + path( + "totp/", + TOTPView.as_view(), + name="totp_view", + ), + ], + ), ), re_path( "^status/", @@ -296,6 +313,12 @@ urlpatterns = [ ), ), *build_provider_urlpatterns(), + # mfa, see allauth/mfa/base/urls.py + path( + "2fa/authenticate/", + allauth_mfa_views.authenticate, + name="mfa_authenticate", + ), ], ), ), diff --git a/src/paperless/views.py b/src/paperless/views.py index 974830d83..b5142ed62 100644 --- a/src/paperless/views.py +++ b/src/paperless/views.py @@ -1,6 +1,12 @@ import os from collections import OrderedDict +from allauth.mfa import signals +from allauth.mfa.adapter import get_adapter as get_mfa_adapter +from allauth.mfa.base.internal.flows import delete_and_cleanup +from allauth.mfa.models import Authenticator +from allauth.mfa.recovery_codes.internal.flows import auto_generate_recovery_codes +from allauth.mfa.totp.internal import auth as totp_auth from allauth.socialaccount.adapter import get_adapter from allauth.socialaccount.models import SocialAccount from django.contrib.auth.models import Group @@ -8,9 +14,12 @@ from django.contrib.auth.models import User from django.db.models.functions import Lower from django.http import HttpResponse from django.http import HttpResponseBadRequest +from django.http import HttpResponseForbidden +from django.http import HttpResponseNotFound from django.views.generic import View from django_filters.rest_framework import DjangoFilterBackend from rest_framework.authtoken.models import Token +from rest_framework.decorators import action from rest_framework.filters import OrderingFilter from rest_framework.generics import GenericAPIView from rest_framework.pagination import PageNumberPagination @@ -100,6 +109,24 @@ class UserViewSet(ModelViewSet): filterset_class = UserFilterSet ordering_fields = ("username",) + @action(detail=True, methods=["post"]) + def deactivate_totp(self, request, pk=None): + request_user = request.user + user = User.objects.get(pk=pk) + if not request_user.is_superuser and request_user != user: + return HttpResponseForbidden( + "You do not have permission to deactivate TOTP for this user", + ) + authenticator = Authenticator.objects.filter( + user=user, + type=Authenticator.Type.TOTP, + ).first() + if authenticator is not None: + delete_and_cleanup(request, authenticator) + return Response(True) + else: + return HttpResponseNotFound("TOTP not found") + class GroupViewSet(ModelViewSet): model = Group @@ -145,6 +172,76 @@ class ProfileView(GenericAPIView): return Response(serializer.to_representation(user)) +class TOTPView(GenericAPIView): + """ + TOTP views + """ + + permission_classes = [IsAuthenticated] + + def get(self, request, *args, **kwargs): + """ + Generates a new TOTP secret and returns the URL and SVG + """ + user = self.request.user + mfa_adapter = get_mfa_adapter() + secret = totp_auth.get_totp_secret(regenerate=True) + url = mfa_adapter.build_totp_url(user, secret) + svg = mfa_adapter.build_totp_svg(url) + return Response( + { + "url": url, + "qr_svg": svg, + "secret": secret, + }, + ) + + def post(self, request, *args, **kwargs): + """ + Validates a TOTP code and activates the TOTP authenticator + """ + valid = totp_auth.validate_totp_code( + request.data["secret"], + request.data["code"], + ) + recovery_codes = None + if valid: + auth = totp_auth.TOTP.activate( + request.user, + request.data["secret"], + ).instance + signals.authenticator_added.send( + sender=Authenticator, + request=request, + user=request.user, + authenticator=auth, + ) + rc_auth: Authenticator = auto_generate_recovery_codes(request) + if rc_auth: + recovery_codes = rc_auth.wrap().get_unused_codes() + return Response( + { + "success": valid, + "recovery_codes": recovery_codes, + }, + ) + + def delete(self, request, *args, **kwargs): + """ + Deactivates the TOTP authenticator + """ + user = self.request.user + authenticator = Authenticator.objects.filter( + user=user, + type=Authenticator.Type.TOTP, + ).first() + if authenticator is not None: + delete_and_cleanup(request, authenticator) + return Response(True) + else: + return HttpResponseNotFound("TOTP not found") + + class GenerateAuthTokenView(GenericAPIView): """ Generates (or re-generates) an auth token, requires a logged in user