Mailman 3 MFA with django-allauth[mfa]
Has anyone successfully got MFA working in Mailman 3 with django-allauth[mfa]?
I'm struggling to get it working with the limited documentation I could find. (https://docs.allauth.org/en/dev/mfa/index.html)
If signed in as a user, I can browse to /accounts/2fa/ to activate MFA, but I was hoping to make it a mandatory part of the Sign Up process. Is there something that needs to be done with the URLs somewhere?
This list site is an example of how I'd like it to work: https://mailing-lists.imperial.ac.uk/
Here is what I added to settings.py:
#---------------------------------------- INSTALLED_APPS= ['hyperkitty', 'postorius', 'django_mailman3', 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.sites', 'django.contrib.messages', 'django.contrib.staticfiles', 'django.contrib.humanize', 'rest_framework', 'django_gravatar', 'compressor', 'haystack', 'django_extensions', 'django_q', 'allauth', 'allauth.account', 'allauth.mfa', 'allauth.socialaccount']
# Specifies the adapter class to use, allowing you to alter certain default behaviour. MFA_ADAPTER = "allauth.mfa.adapter.DefaultMFAAdapter"
# Used to override forms. Defaults to: MFA_FORMS = { 'authenticate': 'allauth.mfa.forms.AuthenticateForm', 'reauthenticate': 'allauth.mfa.forms.AuthenticateForm', 'activate_totp': 'allauth.mfa.forms.ActivateTOTPForm', 'deactivate_totp': 'allauth.mfa.forms.DeactivateTOTPForm', }
MFA_RECOVERY_CODE_COUNT = 10
MFA_TOTP_PERIOD = 30
MFA_TOTP_DIGITS = 6 #----------------------------------------
Thanks.
Liam Reilly writes:
Has anyone successfully got MFA working in Mailman 3 with django-allauth[mfa]?
Define "success". I don't think you mean what the authors of allauth.mfa mean. :-)
If signed in as a user, I can browse to /accounts/2fa/ to activate MFA, but I was hoping to make it a mandatory part of the Sign Up process. Is there something that needs to be done with the URLs somewhere?
The documentation doesn't say anything about making it "mandatory" (again, define please -- there are subtleties which would affect the implementation), but is quite explicit about allowing the user to activate and deactivate authentication methods. So I would guess this is up to you to figure out.
This list site is an example of how I'd like it to work: https://mailing-lists.imperial.ac.uk/
Not helpful. It looks like a pretty standard site from the top page. But I'm not giving out my private information to people I have no connection to, and I don't know what sensors they may have attached looking for mischief.
Here is what I added to settings.py:
[...]
MFA_ADAPTER = "allauth.mfa.adapter.DefaultMFAAdapter"
You may need to override this module. Typical changes involve wrapping the module to change defaults, then invoking the module.
# Used to override forms. Defaults to: MFA_FORMS = { 'authenticate': 'allauth.mfa.forms.AuthenticateForm', 'reauthenticate': 'allauth.mfa.forms.AuthenticateForm', 'activate_totp': 'allauth.mfa.forms.ActivateTOTPForm', 'deactivate_totp': 'allauth.mfa.forms.DeactivateTOTPForm', }
In some sense, making it "mandatory" might be as simple as changing the "activate" form to provide no choice, and to remove the deactivate form from the urlconf). That would not be elegant, and would likely confuse users by presenting them with a useless form. But I'm just guessing at this point.
While it's perfectly reasonable to ask here, I think you're most likely to get useful answers on Django allauth channels.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan
participants (2)
-
Liam Reilly -
Stephen J. Turnbull