From d33207639708f98001b1a924f2c2d69e9c150377 Mon Sep 17 00:00:00 2001 From: Pedro Crespo-Valero <32402063+pcrespov@users.noreply.github.com> Date: Tue, 21 Nov 2023 19:16:35 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=8E=A8=20Two-factor-auth=20per=20user=20(?= =?UTF-8?q?=F0=9F=97=83=EF=B8=8F=20)=20(#5061)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...1dbc_new_two_factor_enabled_user_column.py | 35 +++++++++++++++++++ .../simcore_postgres_database/models/users.py | 8 +++++ .../login/handlers_auth.py | 6 ++-- 3 files changed, 45 insertions(+), 4 deletions(-) create mode 100644 packages/postgres-database/src/simcore_postgres_database/migration/versions/215b2cac1dbc_new_two_factor_enabled_user_column.py diff --git a/packages/postgres-database/src/simcore_postgres_database/migration/versions/215b2cac1dbc_new_two_factor_enabled_user_column.py b/packages/postgres-database/src/simcore_postgres_database/migration/versions/215b2cac1dbc_new_two_factor_enabled_user_column.py new file mode 100644 index 00000000000..981432c75a1 --- /dev/null +++ b/packages/postgres-database/src/simcore_postgres_database/migration/versions/215b2cac1dbc_new_two_factor_enabled_user_column.py @@ -0,0 +1,35 @@ +"""new two_factor_enabled user column + +Revision ID: 215b2cac1dbc +Revises: 22404057a50c +Create Date: 2023-11-21 14:42:42.170235+00:00 + +""" +import sqlalchemy as sa +from alembic import op + +# revision identifiers, used by Alembic. +revision = "215b2cac1dbc" +down_revision = "22404057a50c" +branch_labels = None +depends_on = None + + +def upgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.add_column( + "users", + sa.Column( + "two_factor_enabled", + sa.Boolean(), + server_default=sa.text("true"), + nullable=False, + ), + ) + # ### end Alembic commands ### + + +def downgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.drop_column("users", "two_factor_enabled") + # ### end Alembic commands ### diff --git a/packages/postgres-database/src/simcore_postgres_database/models/users.py b/packages/postgres-database/src/simcore_postgres_database/models/users.py index 7c04800a07a..3505771f0d4 100644 --- a/packages/postgres-database/src/simcore_postgres_database/models/users.py +++ b/packages/postgres-database/src/simcore_postgres_database/models/users.py @@ -100,6 +100,14 @@ class UserStatus(Enum): nullable=True, # since 2FA can be configured optional doc="Confirmed user phone used e.g. to send a code for a two-factor-authentication", ), + sa.Column( + "two_factor_enabled", + sa.Boolean, + server_default=sa.sql.expression.true(), + nullable=False, + doc="Wheter 2FA is enabled at login by this user." + "NOTE that this is checked ONLY if application activates 2FA", + ), sa.Column("password_hash", sa.String, nullable=False), sa.Column( "primary_gid", diff --git a/services/web/server/src/simcore_service_webserver/login/handlers_auth.py b/services/web/server/src/simcore_service_webserver/login/handlers_auth.py index b18dff0ae45..bd6088a8d08 100644 --- a/services/web/server/src/simcore_service_webserver/login/handlers_auth.py +++ b/services/web/server/src/simcore_service_webserver/login/handlers_auth.py @@ -1,5 +1,4 @@ import logging -from typing import Final from aiohttp import web from aiohttp.web import RouteTableDef @@ -99,9 +98,8 @@ async def login(request: web.Request): product=product, ) - # Some roles have login privileges - has_privileges: Final[bool] = UserRole(user["role"]) > UserRole.USER - if has_privileges or not settings.LOGIN_2FA_REQUIRED: + skip_2fa = not user.get("two_factor_enabled", True) + if skip_2fa or not settings.LOGIN_2FA_REQUIRED: return await login_granted_response(request, user=user) # no phone