🎨 Two-factor-auth per user (🗃️ ) (#5061)

ITISFoundation · Nov 21, 2023 · d332076 · d332076
1 parent d459139
commit d332076
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 4 deletions.
diff --git a/...e_postgres_database/migration/versions/215b2cac1dbc_new_two_factor_enabled_user_column.py b/...e_postgres_database/migration/versions/215b2cac1dbc_new_two_factor_enabled_user_column.py
@@ -0,0 +1,35 @@
+"""new two_factor_enabled user column
+
+Revision ID: 215b2cac1dbc
+Revises: 22404057a50c
+Create Date: 2023-11-21 14:42:42.170235+00:00
+
+"""
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "215b2cac1dbc"
+down_revision = "22404057a50c"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column(
+        "users",
+        sa.Column(
+            "two_factor_enabled",
+            sa.Boolean(),
+            server_default=sa.text("true"),
+            nullable=False,
+        ),
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column("users", "two_factor_enabled")
+    # ### end Alembic commands ###
diff --git a/packages/postgres-database/src/simcore_postgres_database/models/users.py b/packages/postgres-database/src/simcore_postgres_database/models/users.py
@@ -100,6 +100,14 @@ class UserStatus(Enum):
         nullable=True,  # since 2FA can be configured optional
         doc="Confirmed user phone used e.g. to send a code for a two-factor-authentication",
     ),
+    sa.Column(
+        "two_factor_enabled",
+        sa.Boolean,
+        server_default=sa.sql.expression.true(),
+        nullable=False,
+        doc="Wheter 2FA is enabled at login by this user."
+        "NOTE that this is checked ONLY if application activates 2FA",
+    ),
     sa.Column("password_hash", sa.String, nullable=False),
     sa.Column(
         "primary_gid",

diff --git a/services/web/server/src/simcore_service_webserver/login/handlers_auth.py b/services/web/server/src/simcore_service_webserver/login/handlers_auth.py
@@ -1,5 +1,4 @@
 import logging
-from typing import Final
 
 from aiohttp import web
 from aiohttp.web import RouteTableDef
@@ -99,9 +98,8 @@ async def login(request: web.Request):
         product=product,
     )
 
-    # Some roles have login privileges
-    has_privileges: Final[bool] = UserRole(user["role"]) > UserRole.USER
-    if has_privileges or not settings.LOGIN_2FA_REQUIRED:
+    skip_2fa = not user.get("two_factor_enabled", True)
+    if skip_2fa or not settings.LOGIN_2FA_REQUIRED:
         return await login_granted_response(request, user=user)
 
     # no phone