mirror of https://github.com/jumpserver/jumpserver
feat: Email as a method for multi-factor authentication (#15134)
* feat: Email as a method for multi-factor authentication * perf: Optimize the MFA email sending logic * perf: Optimize some parameters * perf: Translatepull/15137/head
parent
b55000663e
commit
514b2cdfc5
|
@ -3,3 +3,4 @@ from .face import MFAFace
|
|||
from .otp import MFAOtp, otp_failed_msg
|
||||
from .radius import MFARadius
|
||||
from .sms import MFASms
|
||||
from .email import MFAEmail
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
from django.conf import settings
|
||||
from django.template.loader import render_to_string
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
from common.utils import random_string
|
||||
from common.utils.verify_code import SendAndVerifyCodeUtil
|
||||
from settings.utils import get_login_title
|
||||
from .base import BaseMFA
|
||||
|
||||
email_failed_msg = _("Email verify code invalid")
|
||||
|
||||
|
||||
class MFAEmail(BaseMFA):
|
||||
name = 'email'
|
||||
display_name = _('Email')
|
||||
placeholder = _('Email verification code')
|
||||
|
||||
def check_code(self, code):
|
||||
assert self.is_authenticated()
|
||||
sender_util = SendAndVerifyCodeUtil(self.user.email, backend=self.name)
|
||||
ok = sender_util.verify(code)
|
||||
msg = '' if ok else email_failed_msg
|
||||
return ok, msg
|
||||
|
||||
def is_active(self):
|
||||
if not self.is_authenticated():
|
||||
return True
|
||||
return self.user.email
|
||||
|
||||
@staticmethod
|
||||
def challenge_required():
|
||||
return True
|
||||
|
||||
def send_challenge(self):
|
||||
code = random_string(settings.SMS_CODE_LENGTH, lower=False, upper=False)
|
||||
subject = '%s: %s' % (get_login_title(), _('MFA code'))
|
||||
context = {
|
||||
'user': self.user, 'title': subject, 'code': code,
|
||||
}
|
||||
message = render_to_string('authentication/_msg_mfa_email_code.html', context)
|
||||
content = {'subject': subject, 'message': message}
|
||||
sender_util = SendAndVerifyCodeUtil(
|
||||
self.user.email, code=code, backend=self.name, timeout=60, **content
|
||||
)
|
||||
sender_util.gen_and_send_async()
|
||||
|
||||
@staticmethod
|
||||
def global_enabled():
|
||||
return settings.SECURITY_MFA_BY_EMAIL
|
||||
|
||||
def disable(self):
|
||||
return '/ui/#/profile/index'
|
||||
|
||||
def get_enable_url(self) -> str:
|
||||
return ''
|
||||
|
||||
def can_disable(self) -> bool:
|
||||
return False
|
||||
|
||||
def get_disable_url(self):
|
||||
return ''
|
||||
|
||||
@staticmethod
|
||||
def help_text_of_enable():
|
||||
return ''
|
||||
|
||||
def help_text_of_disable(self):
|
||||
return ''
|
|
@ -0,0 +1,18 @@
|
|||
{% load i18n %}
|
||||
|
||||
<div style="width: 100%; text-align: center">
|
||||
<table style="margin: 0 auto; border: 1px solid #ccc; border-collapse: collapse; width: 60%">
|
||||
<tr style="background-color: #1ab394; color: white">
|
||||
<th style="height: 80px;">{{ title }}</th>
|
||||
</tr>
|
||||
<tr style="border: 1px solid #eee;">
|
||||
<td style="height: 50px;">{% trans 'Hello' %} {{ user.name }},</td>
|
||||
</tr>
|
||||
<tr style="border: 1px solid #eee">
|
||||
<td style="height: 50px;">{% trans 'MFA code' %}: <span style="font-weight: bold;">{{ code }}</span></td>
|
||||
</tr>
|
||||
<tr style="border: 1px solid #eee">
|
||||
<td style="height: 30px;">{% trans 'The validity period of the verification code is one minute' %}</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
|
@ -7473,6 +7473,14 @@ msgid ""
|
|||
"account password"
|
||||
msgstr "单位:秒,目前仅在查看账号密码校验 MFA 时生效"
|
||||
|
||||
#: settings/serializers/security.py:129
|
||||
msgid "MFA via Email"
|
||||
msgstr "邮件验证 MFA"
|
||||
|
||||
#: settings/serializers/security.py:130
|
||||
msgid "Email as a method for multi-factor authentication"
|
||||
msgstr "将电子邮件作为多因子认证的一种方式"
|
||||
|
||||
#: settings/serializers/security.py:143
|
||||
msgid "MFA in login page"
|
||||
msgstr "MFA 在登录页面输入"
|
||||
|
|
|
@ -564,6 +564,7 @@ class Config(dict):
|
|||
# 安全配置
|
||||
'SECURITY_MFA_AUTH': 0, # 0 不开启 1 全局开启 2 管理员开启
|
||||
'SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY': True,
|
||||
'SECURITY_MFA_BY_EMAIL': False,
|
||||
'SECURITY_COMMAND_EXECUTION': False,
|
||||
'SECURITY_COMMAND_BLACKLIST': [
|
||||
'reboot', 'shutdown', 'poweroff', 'halt', 'dd', 'half', 'top'
|
||||
|
|
|
@ -325,9 +325,10 @@ MFA_BACKEND_OTP = 'authentication.mfa.otp.MFAOtp'
|
|||
MFA_BACKEND_FACE = 'authentication.mfa.face.MFAFace'
|
||||
MFA_BACKEND_RADIUS = 'authentication.mfa.radius.MFARadius'
|
||||
MFA_BACKEND_SMS = 'authentication.mfa.sms.MFASms'
|
||||
MFA_BACKEND_EMAIL = 'authentication.mfa.email.MFAEmail'
|
||||
MFA_BACKEND_CUSTOM = 'authentication.mfa.custom.MFACustom'
|
||||
|
||||
MFA_BACKENDS = [MFA_BACKEND_OTP, MFA_BACKEND_RADIUS, MFA_BACKEND_SMS, MFA_BACKEND_FACE]
|
||||
MFA_BACKENDS = [MFA_BACKEND_OTP, MFA_BACKEND_RADIUS, MFA_BACKEND_SMS, MFA_BACKEND_FACE, MFA_BACKEND_EMAIL]
|
||||
|
||||
MFA_CUSTOM = CONFIG.MFA_CUSTOM
|
||||
MFA_CUSTOM_FILE_MD5 = CONFIG.MFA_CUSTOM_FILE_MD5
|
||||
|
|
|
@ -34,6 +34,7 @@ FTP_FILE_MAX_STORE = CONFIG.FTP_FILE_MAX_STORE
|
|||
# Security settings
|
||||
SECURITY_MFA_AUTH = CONFIG.SECURITY_MFA_AUTH
|
||||
SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY = CONFIG.SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY
|
||||
SECURITY_MFA_BY_EMAIL = CONFIG.SECURITY_MFA_BY_EMAIL
|
||||
SECURITY_MAX_IDLE_TIME = CONFIG.SECURITY_MAX_IDLE_TIME # Unit: minute
|
||||
SECURITY_MAX_SESSION_TIME = CONFIG.SECURITY_MAX_SESSION_TIME # Unit: hour
|
||||
SECURITY_COMMAND_EXECUTION = CONFIG.SECURITY_COMMAND_EXECUTION
|
||||
|
|
|
@ -124,6 +124,11 @@ class SecurityAuthSerializer(serializers.Serializer):
|
|||
label=_('Third-party login MFA'),
|
||||
help_text=_('The third-party login modes include OIDC, CAS, and SAML2'),
|
||||
)
|
||||
SECURITY_MFA_BY_EMAIL = serializers.BooleanField(
|
||||
required=False, default=False,
|
||||
label=_('MFA via Email'),
|
||||
help_text=_('Email as a method for multi-factor authentication')
|
||||
)
|
||||
OTP_ISSUER_NAME = serializers.CharField(
|
||||
required=False, max_length=16, label=_('OTP issuer name'),
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue