Allow disabling 2FA

maykinmedia · Mar 14, 2024 · e3f28ca · e3f28ca
1 parent b68b437
commit e3f28ca
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 0 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,6 +2,14 @@
 Change history
 ==============
 
+2.3.0 (TBD)
+-----------
+
+.. warning::
+
+    Two-factor authentication is enabled by default. The ``DISABLE_2FA`` environment variable
+    can be used to disable it if needed.
+
 2.2.1 (2024-03-02)
 ------------------
 

diff --git a/docs/installation/config.rst b/docs/installation/config.rst
@@ -95,6 +95,9 @@ Other settings
   traefik, Apache...). Default ``False`` - this is a header that can be spoofed and you
   need to ensure you control it before enabling this.
 
+* ``DISABLE_2FA``: whether to disable two-factor authentication. Defaults to ``False``.
+  If set to ``False``, 2FA will be required if not using OIDC.
+
 Initial superuser creation
 --------------------------
 

diff --git a/src/objects/conf/base.py b/src/objects/conf/base.py
@@ -433,6 +433,9 @@
     "mozilla_django_oidc_db.backends.OIDCAuthenticationBackend",
 ]
 
+if config("DISABLE_2FA", default=False):  # pragma: no cover
+    MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS = AUTHENTICATION_BACKENDS
+
 #
 # Mozilla Django OIDC DB settings
 #