diff --git a/admin_ui/src/components/DropDownMenu.vue b/admin_ui/src/components/DropDownMenu.vue index 7089a1de..07b2b0b9 100644 --- a/admin_ui/src/components/DropDownMenu.vue +++ b/admin_ui/src/components/DropDownMenu.vue @@ -4,11 +4,7 @@ - + diff --git a/admin_ui/src/components/NavBar.vue b/admin_ui/src/components/NavBar.vue index 4a68b04d..0c9558bc 100644 --- a/admin_ui/src/components/NavBar.vue +++ b/admin_ui/src/components/NavBar.vue @@ -44,7 +44,8 @@ {{ truncatedUsername }} - + + diff --git a/admin_ui/src/components/NavDropDownMenu.vue b/admin_ui/src/components/NavDropDownMenu.vue index 2714ffeb..9e27490d 100644 --- a/admin_ui/src/components/NavDropDownMenu.vue +++ b/admin_ui/src/components/NavDropDownMenu.vue @@ -13,13 +13,18 @@ >{{ $t("Change Password") }} +
  • + + {{ $t("MFA Setup") }} + +
  • - + {{ $t("Light Mode") }}
  • - + {{ $t("Dark Mode") }}
    • @@ -29,7 +34,7 @@ >
  • - + {{ $t("About") }} Piccolo diff --git a/admin_ui/src/fontawesome.ts b/admin_ui/src/fontawesome.ts index 6e8e9146..e70731d7 100644 --- a/admin_ui/src/fontawesome.ts +++ b/admin_ui/src/fontawesome.ts @@ -30,6 +30,7 @@ import { faLayerGroup, faLevelUpAlt, faLink, + faMobileAlt, faMoon, faPlus, faQuestionCircle, @@ -74,6 +75,7 @@ library.add( faLayerGroup, faLevelUpAlt, faLink, + faMobileAlt, faMoon, faPlus, faQuestionCircle, diff --git a/admin_ui/src/interfaces.ts b/admin_ui/src/interfaces.ts index 645a9601..0962eafa 100644 --- a/admin_ui/src/interfaces.ts +++ b/admin_ui/src/interfaces.ts @@ -35,7 +35,7 @@ export interface FetchSingleRowConfig { export interface APIResponseMessage { contents: string - type: string + type: "success" | "error" | "neutral" } export interface OrderByConfig { diff --git a/admin_ui/src/views/Login.vue b/admin_ui/src/views/Login.vue index 4f1e0040..d5c120bc 100644 --- a/admin_ui/src/views/Login.vue +++ b/admin_ui/src/views/Login.vue @@ -10,6 +10,17 @@ + + + @@ -26,7 +37,9 @@ export default defineComponent({ data() { return { username: "", - password: "" + password: "", + mfaCode: "", + mfaCodeRequired: false } }, components: { @@ -43,16 +56,31 @@ export default defineComponent({ try { await axios.post(`./public/login/`, { username: this.username, - password: this.password + password: this.password, + ...(this.mfaCodeRequired ? { mfa_code: this.mfaCode } : {}) }) } catch (error) { console.log("Request failed") + if (axios.isAxiosError(error)) { console.log(error.response) - this.$store.commit("updateApiResponseMessage", { - contents: "Problem logging in", - type: "error" - }) + + if ( + error.response?.status == 401 && + error.response?.data?.detail == "MFA code required" + ) { + this.$store.commit("updateApiResponseMessage", { + contents: "MFA code required", + type: "neutral" + }) + + this.mfaCodeRequired = true + } else { + this.$store.commit("updateApiResponseMessage", { + contents: "Problem logging in", + type: "error" + }) + } } return diff --git a/docs/source/index.rst b/docs/source/index.rst index 182a57f8..8e6589da 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -49,6 +49,7 @@ Table of Contents ../sidebar_links/index ../actions/index ../media_storage/index + ../mfa/index ../internationalization/index ../rest_api_documentation/index ../debugging/index diff --git a/docs/source/mfa/index.rst b/docs/source/mfa/index.rst new file mode 100644 index 00000000..e073ff71 --- /dev/null +++ b/docs/source/mfa/index.rst @@ -0,0 +1,8 @@ +Multi-factor Authentication +=========================== + +Piccolo Admin supports Multi-factor Authentication (MFA). See the +``mfa_providers`` argument in ``create_admin``. + +We currently recommend using the ``AuthenticatorProvider`` with +``XChaCha20Provider`` for encryption. diff --git a/piccolo_admin/endpoints.py b/piccolo_admin/endpoints.py index 897a1164..ce96dd0c 100644 --- a/piccolo_admin/endpoints.py +++ b/piccolo_admin/endpoints.py @@ -35,6 +35,8 @@ from piccolo_api.fastapi.endpoints import FastAPIKwargs, FastAPIWrapper from piccolo_api.media.base import MediaStorage from piccolo_api.media.local import LocalMediaStorage +from piccolo_api.mfa.endpoints import mfa_setup +from piccolo_api.mfa.provider import MFAProvider from piccolo_api.openapi.endpoints import swagger_ui from piccolo_api.rate_limiting.middleware import ( InMemoryLimitProvider, @@ -431,12 +433,17 @@ def __init__( allowed_hosts: t.Sequence[str] = [], debug: bool = False, sidebar_links: t.Dict[str, str] = {}, + mfa_providers: t.Optional[t.Sequence[MFAProvider]] = None, ) -> None: super().__init__( title=site_name, description=f"{site_name} documentation", middleware=[ - Middleware(CSRFMiddleware, allowed_hosts=allowed_hosts) + Middleware( + CSRFMiddleware, + allowed_hosts=allowed_hosts, + allow_form_param=True, + ) ], debug=debug, exception_handlers={500: log_error}, @@ -680,6 +687,30 @@ def __init__( ), ) + ####################################################################### + # MFA + + if mfa_providers: + if len(mfa_providers) > 1: + raise ValueError( + "Only a single mfa_provider is currently supported." + ) + + for mfa_provider in mfa_providers: + private_app.mount( + path="/mfa-setup/", + # This rate limiting is because some of the forms accept + # a password, and generating recovery codes is somewhat + # expensive, so we want to prevent abuse. + app=RateLimitingMiddleware( + app=mfa_setup( + provider=mfa_provider, + auth_table=self.auth_table, + ), + provider=InMemoryLimitProvider(limit=20, timespan=300), + ), + ) + ####################################################################### public_app = FastAPI( @@ -692,11 +723,14 @@ def __init__( if not rate_limit_provider: rate_limit_provider = InMemoryLimitProvider( - limit=100, timespan=300 + limit=20, + timespan=300, ) public_app.mount( path="/login/", + # This rate limiting is to prevent brute forcing password login, + # and MFA codes. app=RateLimitingMiddleware( app=session_login( auth_table=self.auth_table, @@ -705,6 +739,7 @@ def __init__( max_session_expiry=max_session_expiry, redirect_to=None, production=production, + mfa_providers=mfa_providers, ), provider=rate_limit_provider, ), @@ -1083,6 +1118,7 @@ def create_admin( allowed_hosts: t.Sequence[str] = [], debug: bool = False, sidebar_links: t.Dict[str, str] = {}, + mfa_providers: t.Optional[t.Sequence[MFAProvider]] = None, ): """ :param tables: @@ -1203,6 +1239,8 @@ def create_admin( "Google": "https://google.com" }, ) + param mfa_providers: + Enables Multi-factor Authentication in the login process. """ # noqa: E501 auth_table = auth_table or BaseUser @@ -1249,4 +1287,5 @@ def create_admin( allowed_hosts=allowed_hosts, debug=debug, sidebar_links=sidebar_links, + mfa_providers=mfa_providers, ) diff --git a/piccolo_admin/example.py b/piccolo_admin/example.py index e51d67c8..a8d32447 100644 --- a/piccolo_admin/example.py +++ b/piccolo_admin/example.py @@ -45,8 +45,13 @@ from piccolo.engine.postgres import PostgresEngine from piccolo.engine.sqlite import SQLiteEngine from piccolo.table import Table, create_db_tables_sync, drop_db_tables_sync +from piccolo_api.encryption.providers import XChaCha20Provider from piccolo_api.media.local import LocalMediaStorage from piccolo_api.media.s3 import S3MediaStorage +from piccolo_api.mfa.authenticator.provider import AuthenticatorProvider +from piccolo_api.mfa.authenticator.tables import ( + AuthenticatorSecret as AuthenticatorSecret_, +) from piccolo_api.session_auth.tables import SessionsBase from pydantic import BaseModel, field_validator from starlette.requests import Request @@ -139,6 +144,10 @@ class User(BaseUser, tablename="piccolo_user"): pass +class AuthenticatorSecret(AuthenticatorSecret_): + pass + + class Director(Table, help_text="The main director for a movie."): class Gender(str, enum.Enum): male = "m" @@ -439,6 +448,7 @@ def booking_endpoint(request: Request, data: BookingModel) -> str: Studio, User, Sessions, + AuthenticatorSecret, Ticket, ArrayColumns, NullableColumns, @@ -607,6 +617,16 @@ def booking_endpoint(request: Request, data: BookingModel) -> str: "Top Movies": "/#/movie?__order=-box_office", "Google": "https://google.com", }, + mfa_providers=[ + AuthenticatorProvider( + encryption_provider=XChaCha20Provider( + encryption_key=( + b"\x01\xfdN\xe4E?\xaa\xf8=1.7.0 -piccolo_api>=1.3.1 +piccolo_api>=1.5.2 uvicorn aiofiles>=0.5.0 Hypercorn diff --git a/requirements/test-requirements.txt b/requirements/test-requirements.txt index f8a33ade..3ce95ac8 100644 --- a/requirements/test-requirements.txt +++ b/requirements/test-requirements.txt @@ -1,7 +1,7 @@ pytest==8.0.1 pytest-cov==4.1.0 flake8==7.0.0 -piccolo[postgres,sqlite]>=1.4.0 +piccolo[postgres,sqlite]>=1.16.0 playwright==1.41.2 pytest-playwright==0.4.4 httpx>=0.20.0 diff --git a/tests/piccolo_conf.py b/tests/piccolo_conf.py index be459dc7..0f0db739 100644 --- a/tests/piccolo_conf.py +++ b/tests/piccolo_conf.py @@ -1,3 +1,3 @@ from piccolo.engine.sqlite import SQLiteEngine -DB = SQLiteEngine(path="piccolo_api_test.sqlite") +DB = SQLiteEngine(path="piccolo_admin_test.sqlite") diff --git a/tests/test_endpoints.py b/tests/test_endpoints.py index f7563af5..f38efa8b 100644 --- a/tests/test_endpoints.py +++ b/tests/test_endpoints.py @@ -14,9 +14,11 @@ Varchar, ) from piccolo.table import Table, create_db_tables_sync, drop_db_tables_sync +from piccolo.testing.test_case import TableTest from piccolo_api.crud.hooks import Hook, HookType from piccolo_api.crud.validators import Validators from piccolo_api.media.local import LocalMediaStorage +from piccolo_api.mfa.authenticator.tables import AuthenticatorSecret from piccolo_api.session_auth.tables import SessionsBase from starlette.exceptions import HTTPException from starlette.testclient import TestClient @@ -241,19 +243,17 @@ def test_auth_exception(self): self.assertEqual(response.status_code, 401) -class TestForms(TestCase): +class TestForms(TableTest): credentials = {"username": "Bob", "password": "bob123"} + tables = [BaseUser, SessionsBase, AuthenticatorSecret] + def setUp(self): - create_db_tables_sync(SessionsBase, BaseUser, if_not_exists=True) + super().setUp() BaseUser.create_user_sync( **self.credentials, active=True, admin=True, superuser=True ) - def tearDown(self): - SessionsBase.alter().drop_table().run_sync() - BaseUser.alter().drop_table().run_sync() - def test_forms(self): """ Make sure the form listing can be retrieved, and the schema for a form. @@ -449,18 +449,17 @@ def test_sidebar_links(self): ) -class TestMediaStorage(TestCase): +class TestMediaStorage(TableTest): credentials = {"username": "Bob", "password": "bob123"} + tables = [BaseUser, SessionsBase, AuthenticatorSecret] + def setUp(self): - create_db_tables_sync(SessionsBase, BaseUser, if_not_exists=True) + super().setUp() BaseUser.create_user_sync( **self.credentials, active=True, admin=True, superuser=True ) - def tearDown(self): - drop_db_tables_sync(SessionsBase, BaseUser) - @patch("piccolo_api.media.base.uuid") def test_image_upload(self, uuid_module: MagicMock): uuid_value = uuid.uuid4() @@ -608,18 +607,17 @@ def test_generate_file_url_read_only(self): ) -class TestTables(TestCase): +class TestTables(TableTest): credentials = {"username": "Bob", "password": "bob123"} + tables = [SessionsBase, BaseUser, AuthenticatorSecret] + def setUp(self): - create_db_tables_sync(SessionsBase, BaseUser, if_not_exists=True) + super().setUp() BaseUser.create_user_sync( **self.credentials, active=True, admin=True, superuser=True ) - def tearDown(self): - drop_db_tables_sync(SessionsBase, BaseUser) - def test_tables(self): """ Make sure the table listing can be retrieved.