-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support two factor auth (2FA) #3523
Comments
I'm +0 on adding it. I don't think RTD is so sensitive that we are a common attack vector. I'm much more worried about building authoring features before building something like this, unless it's simple to do with a pluggable Django app. Unless users are specifically asking for this, I don't see it as a high priority (sadly). |
Yeah, i agree on priority here. This is a feature that i consider more important for commercial hosting, but I also haven't had any requests for this feature though. |
Also, I think a lot of what I want to add would probably be more applicable as a django admin action instead of an on site admin only feature. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Accepted 👍 |
I am a little confused on this line on what this means? |
Any update on this? |
Sadly not -- we'd love to support it, but it isn't on our short term roadmap. If there is a good way to handle this via Django, we'd love to know, but I haven't found one. |
Today I did quick search and I found this one https://django-allauth-2fa.readthedocs.io/en/latest/, which looks like a good candidate since it should integrate directly with our current auth system: django-allauth. |
There is another Python package that could be useful for this https://github.com/justinmayer/kagi |
I do wonder about basically just punting on this, and saying to use one of our SSO options if you want 2FA. I think more and more users are going to be defaulting to logging in with those options to enable our VCS SSO anyway. |
I think suggesting SSO options is the way to go here. However, is possible to "remove the password" from an existing user after connecting GitHub for example? I did a quick check and I wasn't able to find it. |
Django allauth now has built-in support for 2FA https://docs.allauth.org/en/latest/mfa/introduction.html |
We talk about supporting this during the offsite if it wasn't super complicated. I'm adding this issue to 2024Q3 to see if we can prioritize it. |
Yea, now that allauth supports it, would be great to add 👍 |
Putting this on our next sprint, as this is now supported in AllAuth, hopefully this will be pretty straightforward 🙏 |
Well, it was easy to integrate. Just install a new dependency Things to take into consideration:
|
It sounds like overall the main work is templating then and some QA? I assume the templates should be pretty simple, so hopefully not a ton of work to theme.
I confirmed these |
Yep, if we are cool with that, I can open a PR with the changes. |
Note: support for 2FA has been added, but it won't be exposed to users yet, we will be exposing this feature in the new dashboard (once it's ready). |
@stsewd Could you give the URL for the mfa settings? |
We should enable 2fa for dashboard users. I keep wanting to add site admin features to the dashboard, but then think about the security aspects of adding these features and find myself also wanting 2fa. There are some libraries that do handle a 2fa workflow for standard django logins, but i don't know if this extends to django + allauth or django + mamacas.
I'm sure we're probably in agreement of this being an important feature, but I'm not sure we can gauge the importance of 2fa for users. I'm sure community users would use a feature like this, and site admins would use this feature -- I doubt this is in high demand for commercial hosting customers though.
The following thoughts come to mind:
The text was updated successfully, but these errors were encountered: