Sorry for not answering any earlier - too much work. Well, in my application (which is in production) I've solved the problem as follows: I've written a controller fully under my control (including 2FA and groups) with just the administration functions I need (users, groups and a rights system on the business objects of my application). On all productive instances (compiled) I've just moved the controllers of appadmin (controllers.appadmin.* ) as well as the admin app to a hidden folder - if needed I can move them back.
That's how it works for me. If your interested in this solution, just say "sounds interesting to me ;-)" and we can have a further conversation on the details. @Jim: Good to see, that your still in. My plan is to move in 2024 to py4web and have more contact to the community again. web2py is getting more and more a lonely path ;-) Regards from Germany Clemens On Friday, September 1, 2023 at 5:53:34 PM UTC+2 Jim S wrote: > So, are you trying to protect the 'admin' application with 2fa? > > If so, can you add the 2fa code to the admin app? > > I haven't tried this before > > On Friday, September 1, 2023 at 10:24:29 AM UTC-5 Ramos wrote: > >> this admin >> >> https://mysite.com/admin >> >> Em sex., 1 de set. de 2023 às 16:08, Jim S <ato....@gmail.com> escreveu: >> >>> What does 'administrator password' mean to you? >>> >>> I'm not sure what you're referring to >>> >>> -Jim >>> >>> On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote: >>> >>>> Hello Jim >>>> this line of code >>>> *auth.settings.auth_two_factor_enabled = True* >>>> *does not protect the administrator password. Only created users.* >>>> *That is my question, how to force administrator to use 2fa ?* >>>> *regards* >>>> *António* >>>> >>>> Em sex., 1 de set. de 2023 às 15:00, Jim S <ato....@gmail.com> >>>> escreveu: >>>> >>>>> Here is the code I wrote that only enforced 2fa for users outside our >>>>> local networks. >>>>> >>>>> There is some commented out code there that additionally allowed me to >>>>> specify users in a group so only that group was force to 2fa >>>>> >>>>> def _two_factor_required(auth_user): >>>>> """ >>>>> check whether we need to enforce MFA on this login >>>>> >>>>> We enforce MFA only on logins external to our network. >>>>> >>>>> Returns >>>>> ------- >>>>> bool - enforce MFA >>>>> - True means this login requires MFA >>>>> - False means we will not enforce MFA for this login >>>>> """ >>>>> import ipaddress >>>>> >>>>> return False # temp use to disable mfa >>>>> >>>>> if len(request.args) > 0 and request.args[0] == "login": >>>>> if auth_user.mfa_override and datetime.datetime.now() <= >>>>> auth_user.mfa_override: >>>>> # no mfa required if the user override is set - we >>>>> added a field in auth_user to allow us to override if a user was having >>>>> trouble or lost their phone or something >>>>> return False >>>>> >>>>> qlf_networks = [ >>>>> "9.9.9.9/22", >>>>> "9.9.9.0/24", >>>>> "9.9.9.101/24", >>>>> ] >>>>> >>>>> ip_list = [] >>>>> for range in qlf_networks: >>>>> ip_list.extend(ipaddress.IPv4Network(unicode(range))) >>>>> >>>>> if ipaddress.IPv4Address(unicode(request.client)) in ip_list: >>>>> # if the client address is in the local address list, >>>>> then do NOT require MFA so set to False >>>>> return_value = False >>>>> >>>>> # build the MFA Required group members >>>>> # if return_value: >>>>> # print(datetime.datetime.now()) >>>>> # ag = db(db.auth_group.role == "MFA Required >>>>> (web2py)").select().first() >>>>> # if not ag: >>>>> # ag = db.auth_group.insert("MFA Required (web2py)") >>>>> # for ou in db( >>>>> # (db.auth_user.active == True) >>>>> # | ( >>>>> # (db.auth_user.mfa_override == None) >>>>> # & (db.auth_user.mfa_override <= >>>>> datetime.datetime.now()) >>>>> # ) >>>>> # ).select(): >>>>> # db.auth_membership.update_or_insert(user_id=ou.id, >>>>> group_id=ag) >>>>> # >>>>> # # clear out any members that are currently exempt from >>>>> MFA >>>>> # if ag: >>>>> # for exempt_user in db( >>>>> # (db.auth_user.mfa_override >= >>>>> datetime.datetime.now()) >>>>> # & (db.auth_user.active == True) >>>>> # ).select(): >>>>> # db( >>>>> # (db.auth_membership.group_id == ag.id) >>>>> # & (db.auth_membership.user_id == >>>>> exempt_user.id) >>>>> # ).delete() >>>>> # db.commit() >>>>> # >>>>> # print(datetime.datetime.now()) >>>>> # >>>>> # # set to False to force web2py to check the >>>>> two_factor_authentication group >>>>> # return_value = False >>>>> >>>>> That code is in db.py >>>>> >>>>> Then.... >>>>> >>>>> auth.settings.auth_two_factor_enabled = lambda user: >>>>> _two_factor_required(user) >>>>> auth.messages.two_factor_comment = "QLF MFA - you have been sent a >>>>> code" >>>>> auth.settings.two_factor_methods = [ >>>>> lambda user, auth_two_factor: _send_sms(user, auth_two_factor) >>>>> ] >>>>> >>>>> My _send_sms code built and sms and sent it via Twilio or RingCentral >>>>> >>>>> I wrote this code, but then we ended up not implementing. The web2py >>>>> code is going away for us. All the same concepts work in py4web (nudge >>>>> wink wink) >>>>> >>>>> -Jim >>>>> >>>>> >>>>> >>>>> On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote: >>>>> >>>>>> Anyone can help me ? >>>>>> >>>>>> Em qua., 30 de ago. de 2023 às 10:14, António Ramos < >>>>>> ramst...@gmail.com> escreveu: >>>>>> >>>>>>> in other words, how do i protect the administrator password? it does >>>>>>> not have a username , just a password. This is scary :) >>>>>>> >>>>>>> >>>>>>> Em ter., 29 de ago. de 2023 às 19:44, António Ramos < >>>>>>> ramst...@gmail.com> escreveu: >>>>>>> >>>>>>>> But that is for everyone, i just want to start with users with >>>>>>>> admin powers >>>>>>>> >>>>>>>> Clemens <clemens....@claret-clover.de> escreveu em ter., >>>>>>>> 29/08/2023 às 18:25 : >>>>>>>> >>>>>>>>> Try enabling 2FA via the following setting, since this is for all >>>>>>>>> users: >>>>>>>>> *auth.settings.auth_two_factor_enabled = True* >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Clemens >>>>>>>>> >>>>>>>>> On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote: >>>>>>>>> >>>>>>>>>> i just activated the two step auth with this >>>>>>>>>> >>>>>>>>>> auth.settings.two_factor_authentication_group = "auth2step" >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> but now how do i include the administrator user ? >>>>>>>>>> >>>>>>>>>> regards >>>>>>>>>> António >>>>>>>>>> >>>>>>>>> -- >>>>>>>>> Resources: >>>>>>>>> - http://web2py.com >>>>>>>>> - http://web2py.com/book (Documentation) >>>>>>>>> - http://github.com/web2py/web2py (Source code) >>>>>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>>>>> --- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "web2py-users" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to web2py+un...@googlegroups.com. >>>>>>>>> To view this discussion on the web visit >>>>>>>>> https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com >>>>>>>>> >>>>>>>>> <https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>>>> . >>>>>>>>> >>>>>>>> -- >>>>> Resources: >>>>> - http://web2py.com >>>>> - http://web2py.com/book (Documentation) >>>>> - http://github.com/web2py/web2py (Source code) >>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "web2py-users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to web2py+un...@googlegroups.com. >>>>> >>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> Resources: >>> - http://web2py.com >>> - http://web2py.com/book (Documentation) >>> - http://github.com/web2py/web2py (Source code) >>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "web2py-users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to web2py+un...@googlegroups.com. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/web2py/c8187486-ebdd-4f18-a4d6-b9a45381fad9n%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/web2py/c8187486-ebdd-4f18-a4d6-b9a45381fad9n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/3284e4f5-c879-4fc8-880f-ed4c26ee0788n%40googlegroups.com.