feat: Email as a method for multi-factor authentication (#15134)

* feat: Email as a method for multi-factor authentication

* perf: Optimize the MFA email sending logic

* perf: Optimize some parameters

* perf: Translate
pull/15137/head
Halo 2025-03-27 17:26:38 +08:00 committed by GitHub
parent b55000663e
commit 514b2cdfc5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 104 additions and 1 deletions

View File

@ -3,3 +3,4 @@ from .face import MFAFace
from .otp import MFAOtp, otp_failed_msg
from .radius import MFARadius
from .sms import MFASms
from .email import MFAEmail

View File

@ -0,0 +1,68 @@
from django.conf import settings
from django.template.loader import render_to_string
from django.utils.translation import gettext_lazy as _
from common.utils import random_string
from common.utils.verify_code import SendAndVerifyCodeUtil
from settings.utils import get_login_title
from .base import BaseMFA
email_failed_msg = _("Email verify code invalid")
class MFAEmail(BaseMFA):
name = 'email'
display_name = _('Email')
placeholder = _('Email verification code')
def check_code(self, code):
assert self.is_authenticated()
sender_util = SendAndVerifyCodeUtil(self.user.email, backend=self.name)
ok = sender_util.verify(code)
msg = '' if ok else email_failed_msg
return ok, msg
def is_active(self):
if not self.is_authenticated():
return True
return self.user.email
@staticmethod
def challenge_required():
return True
def send_challenge(self):
code = random_string(settings.SMS_CODE_LENGTH, lower=False, upper=False)
subject = '%s: %s' % (get_login_title(), _('MFA code'))
context = {
'user': self.user, 'title': subject, 'code': code,
}
message = render_to_string('authentication/_msg_mfa_email_code.html', context)
content = {'subject': subject, 'message': message}
sender_util = SendAndVerifyCodeUtil(
self.user.email, code=code, backend=self.name, timeout=60, **content
)
sender_util.gen_and_send_async()
@staticmethod
def global_enabled():
return settings.SECURITY_MFA_BY_EMAIL
def disable(self):
return '/ui/#/profile/index'
def get_enable_url(self) -> str:
return ''
def can_disable(self) -> bool:
return False
def get_disable_url(self):
return ''
@staticmethod
def help_text_of_enable():
return ''
def help_text_of_disable(self):
return ''

View File

@ -0,0 +1,18 @@
{% load i18n %}
<div style="width: 100%; text-align: center">
<table style="margin: 0 auto; border: 1px solid #ccc; border-collapse: collapse; width: 60%">
<tr style="background-color: #1ab394; color: white">
<th style="height: 80px;">{{ title }}</th>
</tr>
<tr style="border: 1px solid #eee;">
<td style="height: 50px;">{% trans 'Hello' %} {{ user.name }},</td>
</tr>
<tr style="border: 1px solid #eee">
<td style="height: 50px;">{% trans 'MFA code' %}: <span style="font-weight: bold;">{{ code }}</span></td>
</tr>
<tr style="border: 1px solid #eee">
<td style="height: 30px;">{% trans 'The validity period of the verification code is one minute' %}</td>
</tr>
</table>
</div>

View File

@ -7473,6 +7473,14 @@ msgid ""
"account password"
msgstr "单位:秒,目前仅在查看账号密码校验 MFA 时生效"
#: settings/serializers/security.py:129
msgid "MFA via Email"
msgstr "邮件验证 MFA"
#: settings/serializers/security.py:130
msgid "Email as a method for multi-factor authentication"
msgstr "将电子邮件作为多因子认证的一种方式"
#: settings/serializers/security.py:143
msgid "MFA in login page"
msgstr "MFA 在登录页面输入"

View File

@ -564,6 +564,7 @@ class Config(dict):
# 安全配置
'SECURITY_MFA_AUTH': 0, # 0 不开启 1 全局开启 2 管理员开启
'SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY': True,
'SECURITY_MFA_BY_EMAIL': False,
'SECURITY_COMMAND_EXECUTION': False,
'SECURITY_COMMAND_BLACKLIST': [
'reboot', 'shutdown', 'poweroff', 'halt', 'dd', 'half', 'top'

View File

@ -325,9 +325,10 @@ MFA_BACKEND_OTP = 'authentication.mfa.otp.MFAOtp'
MFA_BACKEND_FACE = 'authentication.mfa.face.MFAFace'
MFA_BACKEND_RADIUS = 'authentication.mfa.radius.MFARadius'
MFA_BACKEND_SMS = 'authentication.mfa.sms.MFASms'
MFA_BACKEND_EMAIL = 'authentication.mfa.email.MFAEmail'
MFA_BACKEND_CUSTOM = 'authentication.mfa.custom.MFACustom'
MFA_BACKENDS = [MFA_BACKEND_OTP, MFA_BACKEND_RADIUS, MFA_BACKEND_SMS, MFA_BACKEND_FACE]
MFA_BACKENDS = [MFA_BACKEND_OTP, MFA_BACKEND_RADIUS, MFA_BACKEND_SMS, MFA_BACKEND_FACE, MFA_BACKEND_EMAIL]
MFA_CUSTOM = CONFIG.MFA_CUSTOM
MFA_CUSTOM_FILE_MD5 = CONFIG.MFA_CUSTOM_FILE_MD5

View File

@ -34,6 +34,7 @@ FTP_FILE_MAX_STORE = CONFIG.FTP_FILE_MAX_STORE
# Security settings
SECURITY_MFA_AUTH = CONFIG.SECURITY_MFA_AUTH
SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY = CONFIG.SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY
SECURITY_MFA_BY_EMAIL = CONFIG.SECURITY_MFA_BY_EMAIL
SECURITY_MAX_IDLE_TIME = CONFIG.SECURITY_MAX_IDLE_TIME # Unit: minute
SECURITY_MAX_SESSION_TIME = CONFIG.SECURITY_MAX_SESSION_TIME # Unit: hour
SECURITY_COMMAND_EXECUTION = CONFIG.SECURITY_COMMAND_EXECUTION

View File

@ -124,6 +124,11 @@ class SecurityAuthSerializer(serializers.Serializer):
label=_('Third-party login MFA'),
help_text=_('The third-party login modes include OIDC, CAS, and SAML2'),
)
SECURITY_MFA_BY_EMAIL = serializers.BooleanField(
required=False, default=False,
label=_('MFA via Email'),
help_text=_('Email as a method for multi-factor authentication')
)
OTP_ISSUER_NAME = serializers.CharField(
required=False, max_length=16, label=_('OTP issuer name'),
)