New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for one-time passwords (two-factor authentication) #2655
Conversation
This commit will establish minimal styles based on the new HTML structure of the otp section.
@jtomeck Screenshots please? Whenever you are done with the current round of work. |
@brianhelba @mgrauer I worked on styling the UI of the one time password widget. Here is a screenshot of my approach. |
I like the styling @jtomeck! Peanut gallery item: Should the bottom Cancel/Enable buttons be together (say both on the left) with the same size / font size, not unlike the "Close and comment" and Comment buttons on GitHub comments? |
More peanut gallery items:
|
Also, most MFA implementations I've used have a modal dialog for username/password and then a separate dialog for the second factor. Is this a workflow we should consider? The benefit of this approach would be that we only prompt the user for a second factor if they actually have it enabled, avoiding confusion for those who don't. |
@jeffbaumes I think that's a good idea. I had a thought process behind why I did it the way I did, but I don't think the result really does anything to help the user on their path through the UI. @danlamanna Right now that bottom bar just has the the top bar hex value for its color. I don't think it would be good if that matched the brand color because it could hurt the visibility of the buttons in the bar. I think this raises the question of if we want to change the color of the bottom bar, as well as the other blue elements I've designed into the layout. Maybe there are some stylus color variables somewhere in the CSS that I can play around with. |
006e40a
to
02674f5
Compare
6c0b811
to
0b4e31c
Compare
@@ -127,7 +138,16 @@ def validate(self, doc): | |||
|
|||
return doc | |||
|
|||
def authenticate(self, login, password): | |||
def filter(self, doc, user, additionalKeys=None): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@girder/developers I'm not sure if I like what's being done here, but it's the only way I see to create 'derived' values when a document is filtered.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zachmullen Let me know if you have any thoughts.
girder/models/user.py
Outdated
} | ||
|
||
def hasOtp(self, user): | ||
return 'otp' in user and user['otp']['enabled'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hasOtpEnabled
@girder/developers Review is complete and this is ready to merge. However, we need to fix #2730 before testing will pass in CI. |
@danlamanna Fixed a bug causing tests to sometimes fail. PTAL again. |
💕 |
This now has basic functionality. Still TODO:
Girder-OTP
to default CORS headersAdditional work that may be out of scope for this initial PR:
User._TotpFactory
is created (requires more robust server hostname detection)Technical reference: http://passlib.readthedocs.io/en/stable/narr/totp-tutorial.html
Current login dialog:
Before 2FA enrollment:
2FA enrollment process: