Add support for one-time passwords (two-factor authentication)

[brianhelba]

This now has basic functionality. Still TODO:

• Allow OTP to be sent when logging into the SFTP server
• Only prompt for an OTP on the login dialog if necessary
• Refactor some logic out of the API layer and into the User model
• Add Girder-OTP to default CORS headers
• Server testing
• Client testing
• Resolve autoDescribeRoute doesn't support required header parameters #2724
• Add client confirmation / error message dialogs
• Final styling pass
• Resolve Ensure models connect to current pytest database #2730

Additional work that may be out of scope for this initial PR:

• Rate limit login requests
• Switch caching of the last-used token to be stored in MongoDB (see here for possibly-helpful resources)
• Option to mandate use of 2FA by all users
• Allow user to recover account access with HOTP-based codes (currently, a site admin must disable a user's OTP to recover access)
• Use application secrets (once they exist) when generating TOTP keys
• Set OTP issuer when User._TotpFactory is created (requires more robust server hostname detection)

Technical reference: http://passlib.readthedocs.io/en/stable/narr/totp-tutorial.html

---

Current login dialog:

Before 2FA enrollment:

2FA enrollment process:

[mgrauer]

@jtomeck Screenshots please? Whenever you are done with the current round of work.

[jtomeck]

@brianhelba @mgrauer I worked on styling the UI of the one time password widget. Here is a screenshot of my approach.

[jeffbaumes]

I like the styling @jtomeck! Peanut gallery item: Should the bottom Cancel/Enable buttons be together (say both on the left) with the same size / font size, not unlike the "Close and comment" and Comment buttons on GitHub comments?

[danlamanna]

More peanut gallery items:

• Will the bottom brown be affected by the brand color settings, and is that good/bad? (Not sure how that's implemented)
• Can we grep this whole branch and ensure that "Two-Factor" is labeled as such everywhere? I saw the original PR had both "2-factor" and "two-factor".

[danlamanna]

Also, most MFA implementations I've used have a modal dialog for username/password and then a separate dialog for the second factor. Is this a workflow we should consider? The benefit of this approach would be that we only prompt the user for a second factor if they actually have it enabled, avoiding confusion for those who don't.

[jtomeck]

@jeffbaumes I think that's a good idea. I had a thought process behind why I did it the way I did, but I don't think the result really does anything to help the user on their path through the UI.

@danlamanna Right now that bottom bar just has the the top bar hex value for its color. I don't think it would be good if that matched the brand color because it could hurt the visibility of the buttons in the bar. I think this raises the question of if we want to change the color of the bottom bar, as well as the other blue elements I've designed into the layout. Maybe there are some stylus color variables somewhere in the CSS that I can play around with.

[brianhelba]

@girder/developers I'm not sure if I like what's being done here, but it's the only way I see to create 'derived' values when a document is filtered.

[brianhelba]

@zachmullen Let me know if you have any thoughts.

[danlamanna]

hasOtpEnabled

[brianhelba]

@girder/developers Review is complete and this is ready to merge. However, we need to fix #2730 before testing will pass in CI.

[brianhelba]

@danlamanna Fixed a bug causing tests to sometimes fail. PTAL again.

[mgrauer]

💕