Require two-factor authentication to enable admin mode.

This feature can be disabled with the new ini setting `disable_admin_otp`.
reddit-archive · Jul 23, 2012 · 1db68ce · 1db68ce
1 parent 8dfd73b
commit 1db68ce
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 3 deletions.
diff --git a/install-reddit.sh b/install-reddit.sh
@@ -242,6 +242,7 @@ debug = true
 disable_ads = true
 disable_captcha = true
 disable_ratelimit = true
+disable_require_admin_otp = true
 
 page_cache_time = 0
 

diff --git a/r2/example.ini b/r2/example.ini
@@ -66,6 +66,7 @@ CLOUDSEARCH_SUBREDDIT_DOC_API =
 disable_ads = false
 disable_captcha = false
 disable_ratelimit = false
+disable_require_admin_otp = false
 
 # -- important settings -- 
 # the domain that this app serves itself up as

diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
@@ -2705,11 +2705,22 @@ def POST_expando(self, link):
 
     @validatedForm(VUser('password', default=''),
                    VModhash(),
+                   VOneTimePassword("otp",
+                                    required=not g.disable_require_admin_otp),
+                   remember=VBoolean("remember"),
                    dest=VDestination())
-    def POST_adminon(self, form, jquery, dest):
+    def POST_adminon(self, form, jquery, remember, dest):
         if form.has_errors('password', errors.WRONG_PASSWORD):
             return
 
+        if form.has_errors("otp", errors.WRONG_PASSWORD,
+                                  errors.NO_OTP_SECRET,
+                                  errors.RATELIMIT):
+            return
+
+        if remember:
+            self.remember_otp(c.user)
+
         self.enable_admin_mode(c.user)
         form.redirect(dest)
 

diff --git a/r2/r2/lib/app_globals.py b/r2/r2/lib/app_globals.py
@@ -114,6 +114,7 @@ class Globals(object):
             's3_media_direct',
             'disable_captcha',
             'disable_ads',
+            'disable_require_admin_otp',
             'static_pre_gzipped',
             'static_secure_pre_gzipped',
             'trust_local_proxies',

diff --git a/r2/r2/public/static/css/reddit.css b/r2/r2/public/static/css/reddit.css
@@ -5409,8 +5409,13 @@ tr.gold-accent + tr > td {
 }
 
 .adminpasswordform {
-    margin-bottom: .5em;
-    display: inline-block;
+    display: block;
+    margin: .5em auto 0 auto;
+}
+
+.adminpasswordform label {
+    display: block;
+    padding: .5em;
 }
 
 .content.api-help {

diff --git a/r2/r2/templates/passwordverificationform.html b/r2/r2/templates/passwordverificationform.html
@@ -43,6 +43,25 @@ <h1>let me see your papers</h1>
       ${error_field("WRONG_PASSWORD", "password")}
       </%utils:round_field>
 
+      <%utils:round_field title="${_('one-time password')}" description="${_('(required)')}" css_class="adminpasswordform">
+      <input type="text" name="otp" maxlength="6" tabindex="1" required pattern="[0-9]{6}" autocomplete="off"
+      % if c.otp_cached:
+      disabled
+      % endif
+      />
+      ${error_field("WRONG_PASSWORD", "otp")}
+      ${error_field("NO_OTP_SECRET", "otp")}
+      ${error_field("RATELIMIT", "otp")}
+
+      <label>
+          <input type="checkbox" name="remember" tabindex="1"
+          % if c.otp_cached:
+            disabled
+            checked
+          % endif
+          > ${_("remember this computer")}</label>
+      </%utils:round_field>
+
       <p><button type="submit" class="btn" tabindex="1">${_('turn admin on')}</button></p>
       <p class="status error"></p>
     </div>