Here is the code I wrote that only enforced 2fa for users outside our local
networks.
There is some commented out code there that additionally allowed me to
specify users in a group so only that group was force to 2fa
def _two_factor_required(auth_user):
"""
check whether we need to enforce MFA on this login
We enforce MFA only on logins external to our network.
Returns
-------
bool - enforce MFA
- True means this login requires MFA
- False means we will not enforce MFA for this login
"""
import ipaddress
return False # temp use to disable mfa
if len(request.args) > 0 and request.args[0] == "login":
if auth_user.mfa_override and datetime.datetime.now() <=
auth_user.mfa_override:
# no mfa required if the user override is set - we added a
field in auth_user to allow us to override if a user was having trouble or
lost their phone or something
return False
qlf_networks = [
"9.9.9.9/22",
"9.9.9.0/24",
"9.9.9.101/24",
]
ip_list = []
for range in qlf_networks:
ip_list.extend(ipaddress.IPv4Network(unicode(range)))
if ipaddress.IPv4Address(unicode(request.client)) in ip_list:
# if the client address is in the local address list, then do
NOT require MFA so set to False
return_value = False
# build the MFA Required group members
# if return_value:
# print(datetime.datetime.now())
# ag = db(db.auth_group.role == "MFA Required
(web2py)").select().first()
# if not ag:
# ag = db.auth_group.insert("MFA Required (web2py)")
# for ou in db(
# (db.auth_user.active == True)
# | (
# (db.auth_user.mfa_override == None)
# & (db.auth_user.mfa_override <=
datetime.datetime.now())
# )
# ).select():
# db.auth_membership.update_or_insert(user_id=ou.id,
group_id=ag)
#
# # clear out any members that are currently exempt from MFA
# if ag:
# for exempt_user in db(
# (db.auth_user.mfa_override >= datetime.datetime.now())
# & (db.auth_user.active == True)
# ).select():
# db(
# (db.auth_membership.group_id == ag.id)
# & (db.auth_membership.user_id == exempt_user.id)
# ).delete()
# db.commit()
#
# print(datetime.datetime.now())
#
# # set to False to force web2py to check the
two_factor_authentication group
# return_value = False
That code is in db.py
Then....
auth.settings.auth_two_factor_enabled = lambda user:
_two_factor_required(user)
auth.messages.two_factor_comment = "QLF MFA - you have been sent a code"
auth.settings.two_factor_methods = [
lambda user, auth_two_factor: _send_sms(user, auth_two_factor)
]
My _send_sms code built and sms and sent it via Twilio or RingCentral
I wrote this code, but then we ended up not implementing. The web2py code
is going away for us. All the same concepts work in py4web (nudge wink
wink)
-Jim
On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote:
> Anyone can help me ?
>
> Em qua., 30 de ago. de 2023 às 10:14, António Ramos <ramst...@gmail.com>
> escreveu:
>
>> in other words, how do i protect the administrator password? it does not
>> have a username , just a password. This is scary :)
>>
>>
>> Em ter., 29 de ago. de 2023 às 19:44, António Ramos <ramst...@gmail.com>
>> escreveu:
>>
>>> But that is for everyone, i just want to start with users with admin
>>> powers
>>>
>>> Clemens <clemens....@claret-clover.de> escreveu em ter., 29/08/2023 às
>>> 18:25 :
>>>
>>>> Try enabling 2FA via the following setting, since this is for all users:
>>>> *auth.settings.auth_two_factor_enabled = True*
>>>>
>>>> Regards
>>>> Clemens
>>>>
>>>> On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote:
>>>>
>>>>> i just activated the two step auth with this
>>>>>
>>>>> auth.settings.two_factor_authentication_group = "auth2step"
>>>>>
>>>>>
>>>>> but now how do i include the administrator user ?
>>>>>
>>>>> regards
>>>>> António
>>>>>
>>>> --
>>>> Resources:
>>>> - http://web2py.com
>>>> - http://web2py.com/book (Documentation)
>>>> - http://github.com/web2py/web2py (Source code)
>>>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "web2py-users" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to web2py+un...@googlegroups.com.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com
>>>>
>>>> <https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com.
