Introduce totp_enabled_for_admin config option

manisandro · manisandro · commit 96d9d071076d · 2024-11-13T18:55:13.000+01:00
diff --git a/schemas/qwc-db-auth.json b/schemas/qwc-db-auth.json
@@ -116,6 +116,10 @@
           "description": "Enable two factor authentication using TOTP. Default: false",
           "type": "boolean"
         },
+        "totp_enabled_for_admin": {
+          "description": "Whether to enable two-factor authentication using TOTP for admin. Default: false",
+          "type": "boolean"
+        },
         "totp_issuer_name": {
           "description": "Issuer name for QR code URI. Default: 'QWC Services'",
           "type": "string"
diff --git a/src/db_auth.py b/src/db_auth.py
@@ -90,6 +90,7 @@ def __init__(self, tenant, mail, app):
         self.post_param_login = config.get('post_param_login', False)
         self.max_login_attempts = config.get('max_login_attempts', 20)
         self.totp_enabled = config.get('totp_enabled', False)
+        self.totp_enabled_for_admin = config.get('totp_enabled_for_admin', False)
         self.totp_issuer_name = config.get('totp_issuer_name', 'QWC Services')
 
         db_engine = DatabaseEngine()
@@ -200,7 +201,7 @@ def login(self):
                                 # add initial password history entry if missing
                                 self.create_password_history(db_session, user)
 
-                        if self.totp_enabled:
+                        if self.__totp_is_enabled(user):
                             session['login_uid'] = user.id
                             session['target_url'] = target_url
                             if user.totp_secret:
@@ -254,6 +255,12 @@ def verify_login(self):
                     abort(401)
         abort(401)
 
+    def __totp_is_enabled(self, user):
+        """ Returns whether totp is enabled for the specified user
+        :param user User: The user
+        """
+        return self.totp_enabled or (user and user.name == self.DEFAULT_ADMIN_USER and self.totp_enabled_for_admin)
+
     def verify(self):
         """Handle submit of form for TOTP verification token."""
         # create session for ConfigDB
@@ -267,7 +274,7 @@ def __verify(self, db_session, submit=True):
         :param bool submit: Whether form was submitted
                             (False if shown after login form)
         """
-        if not self.totp_enabled or 'login_uid' not in session:
+        if 'login_uid' not in session:
             self.logger.warning("TOTP not enabled or not in login process")
             return redirect(url_for('login'))
 
@@ -276,6 +283,10 @@ def __verify(self, db_session, submit=True):
             self.logger.warning("user not found")
             return redirect(url_for('login'))
 
+        if not self.__totp_is_enabled(user):
+            self.logger.warning("TOTP not enabled or not in login process")
+            return redirect(url_for('login'))
+
         form = VerifyForm(meta=wft_locales())
         form.logo = self.login_logo
         form.background = self.login_background
@@ -323,7 +334,7 @@ def __setup_totp(self, db_session, submit=True):
         :param bool submit: Whether form was submitted
                             (False if shown after login form)
         """
-        if not self.totp_enabled or 'login_uid' not in session:
+        if 'login_uid' not in session:
             self.logger.warning("TOTP not enabled or not in login process")
             return redirect(url_for('login'))
 
@@ -332,6 +343,10 @@ def __setup_totp(self, db_session, submit=True):
             # user not found
             return redirect(url_for('login'))
 
+        if not self.__totp_is_enabled(user):
+            self.logger.warning("TOTP not enabled or not in login process")
+            return redirect(url_for('login'))
+
         totp_secret = session.get('totp_secret', None)
         if totp_secret is None:
             # generate new secret
@@ -386,7 +401,7 @@ def __setup_totp(self, db_session, submit=True):
 
     def qrcode(self):
         """Return TOTP QR code."""
-        if not self.totp_enabled or 'login_uid' not in session:
+        if 'login_uid' not in session:
             self.logger.warning("TOTP not enabled or not in login process")
             abort(404)
 
@@ -412,6 +427,10 @@ def qrcode(self):
             # user not found
             abort(404)
 
+        if not self.__totp_is_enabled(user):
+            self.logger.warning("TOTP not enabled or not in login process")
+            return redirect(url_for('login'))
+
         # generate TOTP URI
         email = user.email or user.name
         uri = pyotp.totp.TOTP(totp_secret).provisioning_uri(
@@ -687,7 +706,7 @@ def __user_is_authorized(self, user, password):
         elif user.check_password(password):
             # valid credentials
             if user.failed_sign_in_count < self.max_login_attempts:
-                if not self.totp_enabled:
+                if not self.__totp_is_enabled(user):
                     # update last sign in timestamp and reset failed attempts
                     # counter
                     user.last_sign_in_at = datetime.datetime.now(datetime.UTC)
