From cdf7911fbb07e0cb844de8c6930983637bc2c630 Mon Sep 17 00:00:00 2001
From: bart-maykin <bart.burgman@maykinmedia.nl>
Date: Wed, 19 Jun 2024 14:43:46 +0200
Subject: [PATCH] :sparkles: [#1637] added environmental variable to disable
 2fa in base.py

---
 CHANGELOG.rst                 | 1 +
 src/nrc/conf/dev.py           | 4 ----
 src/nrc/conf/includes/base.py | 5 +++++
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 53b1261c..548c0068 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -7,6 +7,7 @@ Changes
 
 **New features**
 
+* [#1637] Added 2FA which is disabled by the environment variable``DISABLE_2FA`` by default.
 * [#135] Added ``createinitialsuperuser`` management command to create admin superuser
 * [#87] Supported configuration of the API with a management command ``setup_configuration`` and environment variables
 * [open-zaak/open-zaak#1203] Added configuration of retry variables with admin UI and with
diff --git a/src/nrc/conf/dev.py b/src/nrc/conf/dev.py
index 061fef22..2510b52d 100644
--- a/src/nrc/conf/dev.py
+++ b/src/nrc/conf/dev.py
@@ -50,10 +50,6 @@
 INTERNAL_IPS = ("127.0.0.1",)
 DEBUG_TOOLBAR_CONFIG = {"INTERCEPT_REDIRECTS": False}
 
-# None of the authentication backends require two-factor authentication.
-if config("DISABLE_2FA", default=True):  # pragma: no cover
-    MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS = AUTHENTICATION_BACKENDS
-
 # in memory cache and django-axes don't get along.
 # https://django-axes.readthedocs.io/en/latest/configuration.html#known-configuration-problems
 CACHES = {
diff --git a/src/nrc/conf/includes/base.py b/src/nrc/conf/includes/base.py
index 8c01d48b..9d479b4c 100644
--- a/src/nrc/conf/includes/base.py
+++ b/src/nrc/conf/includes/base.py
@@ -532,6 +532,11 @@
     "mozilla_django_oidc_db.backends.OIDCAuthenticationBackend",
 ]
 
+# if DISABLE_2FA is true, fill the MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS with all
+# configured AUTHENTICATION_BACKENDS and thus disabeling the entire 2FA chain
+if config("DISABLE_2FA", default=True):  # pragma: no cover
+    MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS = AUTHENTICATION_BACKENDS
+
 #
 # SENTRY - error monitoring
 #