Re: [web2py] Re: administrator login with 2fa

[Clemens]

Well, having a method reporting problems is great. My solution is primarily 
pragmatic: In case move the controllers in and analyse otherwise having 
them out of access.

After migrating to py4web I will think of such error mailing controller, 
sounds interesting.

On Friday, September 1, 2023 at 8:07:11 PM UTC+2 Jim S wrote:

> And to second your comment, I too have a controller method that allows 
> users with the proper access, the ability to add additional users.
>
> The only other reason I would want to access admin is to look at error 
> messages/tickets.  But, I have some method in place to read the error 
> messages and forward them to me in an email.
>
>
> -Jim
>
>
>
> On Friday, September 1, 2023 at 1:04:47 PM UTC-5 Jim S wrote:
>
>> If I try to go to admin/appadmin web2py returns:
>>
>> Admin is disabled because insecure channel
>>
>> Isn't that just the default behavior?
>>
>> -Jim
>>
>> On Friday, September 1, 2023 at 1:00:08 PM UTC-5 Clemens wrote:
>>
>>> I don't and I that's why I (re)move these to a hidden folder on system 
>>> level :-) What I need is to give customers the option to add new users by 
>>> themselves. For that I've written a small controller under the control of 
>>> 2FA and so on.
>>>
>>> Regards
>>> Clemens
>>>
>>>
>>> On Friday, September 1, 2023 at 7:40:19 PM UTC+2 Jim S wrote:
>>>
 I'm just curious

 Why do you need access to the admin/appadmin apps in a production 
 environment?

 I've never used them there.  I use in development, but never production

 -Jim


 On Friday, September 1, 2023 at 11:54:02 AM UTC-5 Clemens wrote:

> Removing the admin app as well as the appadmin controllers should kill 
> all options of administration. Move these to two to a folder away from 
> web2py. And then you can still call https://.../admin/site or 
> https://.../appadmin?
>
> On Friday, September 1, 2023 at 6:44:31 PM UTC+2 Ramos wrote:
>
>> yes i tried it on the admin app and it just does not work.
>> :)
>>
>>
>> Em sex., 1 de set. de 2023 às 16:53, Jim S  
>> escreveu:
>>
>>> So, are you trying to protect the 'admin' application with 2fa?
>>>
>>> If so, can you add the 2fa code to the admin app?
>>>
>>> I haven't tried this before
>>>
>>> On Friday, September 1, 2023 at 10:24:29 AM UTC-5 Ramos wrote:
>>>
 this admin

 https://mysite.com/admin

 Em sex., 1 de set. de 2023 às 16:08, Jim S  
 escreveu:

> What does 'administrator password' mean to you?
>
> I'm not sure what you're referring to
>
> -Jim
>
> On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote:
>
>> Hello Jim 
>> this line of code 
>> *auth.settings.auth_two_factor_enabled = True*
>> *does not protect the administrator password. Only created users.*
>> *That is my question, how to force administrator to use 2fa ?*
>> *regards*
>> *António*
>>
>> Em sex., 1 de set. de 2023 às 15:00, Jim S  
>> escreveu:
>>
>>> Here is the code I wrote that only enforced 2fa for users 
>>> outside our local networks.
>>>
>>> There is some commented out code there that additionally allowed 
>>> me to specify users in a group so only that group was force to 2fa
>>>
>>> def _two_factor_required(auth_user):
>>> """
>>> check whether we need to enforce MFA on this login
>>>
>>>We enforce MFA only on logins external to our network.
>>>
>>> Returns
>>> ---
>>> bool - enforce MFA
>>> - True means this login requires MFA
>>> - False means we will not enforce MFA for this login
>>> """
>>> import ipaddress
>>>
>>> return False  #  temp use to disable mfa
>>>
>>> if len(request.args) > 0 and request.args[0] == "login":
>>> if auth_user.mfa_override and datetime.datetime.now() <= 
>>> auth_user.mfa_override:
>>> #  no mfa required if the user override is set   - 
>>> we added a field in auth_user to allow us to override if a user was 
>>> having 
>>> trouble or lost their phone or something
>>> return False
>>>
>>> qlf_networks = [
>>> "9.9.9.9/22",
>>> "9.9.9.0/24",
>>> "9.9.9.101/24",
>>> ]
>>>
>>> ip_list = []
>>> for range in qlf_networks:
>>> ip_list.extend(ipaddress.IPv4Network(unicode(range)))
>>>
>>> if ipaddress.IPv4Address(unicode(request.client)) in 
>>> ip_list:
>>> 

Re: [web2py] Re: administrator login with 2fa

[Jim S]

And to second your comment, I too have a controller method that allows 
users with the proper access, the ability to add additional users.

The only other reason I would want to access admin is to look at error 
messages/tickets.  But, I have some method in place to read the error 
messages and forward them to me in an email.


-Jim



On Friday, September 1, 2023 at 1:04:47 PM UTC-5 Jim S wrote:

> If I try to go to admin/appadmin web2py returns:
>
> Admin is disabled because insecure channel
>
> Isn't that just the default behavior?
>
> -Jim
>
> On Friday, September 1, 2023 at 1:00:08 PM UTC-5 Clemens wrote:
>
>> I don't and I that's why I (re)move these to a hidden folder on system 
>> level :-) What I need is to give customers the option to add new users by 
>> themselves. For that I've written a small controller under the control of 
>> 2FA and so on.
>>
>> Regards
>> Clemens
>>
>>
>> On Friday, September 1, 2023 at 7:40:19 PM UTC+2 Jim S wrote:
>>
>>> I'm just curious
>>>
>>> Why do you need access to the admin/appadmin apps in a production 
>>> environment?
>>>
>>> I've never used them there.  I use in development, but never production
>>>
>>> -Jim
>>>
>>>
>>> On Friday, September 1, 2023 at 11:54:02 AM UTC-5 Clemens wrote:
>>>
 Removing the admin app as well as the appadmin controllers should kill 
 all options of administration. Move these to two to a folder away from 
 web2py. And then you can still call https://.../admin/site or 
 https://.../appadmin?

 On Friday, September 1, 2023 at 6:44:31 PM UTC+2 Ramos wrote:

> yes i tried it on the admin app and it just does not work.
> :)
>
>
> Em sex., 1 de set. de 2023 às 16:53, Jim S  
> escreveu:
>
>> So, are you trying to protect the 'admin' application with 2fa?
>>
>> If so, can you add the 2fa code to the admin app?
>>
>> I haven't tried this before
>>
>> On Friday, September 1, 2023 at 10:24:29 AM UTC-5 Ramos wrote:
>>
>>> this admin
>>>
>>> https://mysite.com/admin
>>>
>>> Em sex., 1 de set. de 2023 às 16:08, Jim S  
>>> escreveu:
>>>
 What does 'administrator password' mean to you?

 I'm not sure what you're referring to

 -Jim

 On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote:

> Hello Jim 
> this line of code 
> *auth.settings.auth_two_factor_enabled = True*
> *does not protect the administrator password. Only created users.*
> *That is my question, how to force administrator to use 2fa ?*
> *regards*
> *António*
>
> Em sex., 1 de set. de 2023 às 15:00, Jim S  
> escreveu:
>
>> Here is the code I wrote that only enforced 2fa for users outside 
>> our local networks.
>>
>> There is some commented out code there that additionally allowed 
>> me to specify users in a group so only that group was force to 2fa
>>
>> def _two_factor_required(auth_user):
>> """
>> check whether we need to enforce MFA on this login
>>
>>We enforce MFA only on logins external to our network.
>>
>> Returns
>> ---
>> bool - enforce MFA
>> - True means this login requires MFA
>> - False means we will not enforce MFA for this login
>> """
>> import ipaddress
>>
>> return False  #  temp use to disable mfa
>>
>> if len(request.args) > 0 and request.args[0] == "login":
>> if auth_user.mfa_override and datetime.datetime.now() <= 
>> auth_user.mfa_override:
>> #  no mfa required if the user override is set   - we 
>> added a field in auth_user to allow us to override if a user was 
>> having 
>> trouble or lost their phone or something
>> return False
>>
>> qlf_networks = [
>> "9.9.9.9/22",
>> "9.9.9.0/24",
>> "9.9.9.101/24",
>> ]
>>
>> ip_list = []
>> for range in qlf_networks:
>> ip_list.extend(ipaddress.IPv4Network(unicode(range)))
>>
>> if ipaddress.IPv4Address(unicode(request.client)) in 
>> ip_list:
>> #  if the client address is in the local address 
>> list, then do NOT require MFA so set to False
>> return_value = False
>>
>> #  build the MFA Required group members
>> # if return_value:
>> # print(datetime.datetime.now())
>> # ag = db(db.auth_group.role == "MFA Required 
>> (web2py)").select().first()
>> # if not ag:

Re: [web2py] Re: administrator login with 2fa

[Jim S]

If I try to go to admin/appadmin web2py returns:

Admin is disabled because insecure channel

Isn't that just the default behavior?

-Jim

On Friday, September 1, 2023 at 1:00:08 PM UTC-5 Clemens wrote:

> I don't and I that's why I (re)move these to a hidden folder on system 
> level :-) What I need is to give customers the option to add new users by 
> themselves. For that I've written a small controller under the control of 
> 2FA and so on.
>
> Regards
> Clemens
>
>
> On Friday, September 1, 2023 at 7:40:19 PM UTC+2 Jim S wrote:
>
>> I'm just curious
>>
>> Why do you need access to the admin/appadmin apps in a production 
>> environment?
>>
>> I've never used them there.  I use in development, but never production
>>
>> -Jim
>>
>>
>> On Friday, September 1, 2023 at 11:54:02 AM UTC-5 Clemens wrote:
>>
>>> Removing the admin app as well as the appadmin controllers should kill 
>>> all options of administration. Move these to two to a folder away from 
>>> web2py. And then you can still call https://.../admin/site or 
>>> https://.../appadmin?
>>>
>>> On Friday, September 1, 2023 at 6:44:31 PM UTC+2 Ramos wrote:
>>>
 yes i tried it on the admin app and it just does not work.
 :)


 Em sex., 1 de set. de 2023 às 16:53, Jim S  
 escreveu:

> So, are you trying to protect the 'admin' application with 2fa?
>
> If so, can you add the 2fa code to the admin app?
>
> I haven't tried this before
>
> On Friday, September 1, 2023 at 10:24:29 AM UTC-5 Ramos wrote:
>
>> this admin
>>
>> https://mysite.com/admin
>>
>> Em sex., 1 de set. de 2023 às 16:08, Jim S  
>> escreveu:
>>
>>> What does 'administrator password' mean to you?
>>>
>>> I'm not sure what you're referring to
>>>
>>> -Jim
>>>
>>> On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote:
>>>
 Hello Jim 
 this line of code 
 *auth.settings.auth_two_factor_enabled = True*
 *does not protect the administrator password. Only created users.*
 *That is my question, how to force administrator to use 2fa ?*
 *regards*
 *António*

 Em sex., 1 de set. de 2023 às 15:00, Jim S  
 escreveu:

> Here is the code I wrote that only enforced 2fa for users outside 
> our local networks.
>
> There is some commented out code there that additionally allowed 
> me to specify users in a group so only that group was force to 2fa
>
> def _two_factor_required(auth_user):
> """
> check whether we need to enforce MFA on this login
>
>We enforce MFA only on logins external to our network.
>
> Returns
> ---
> bool - enforce MFA
> - True means this login requires MFA
> - False means we will not enforce MFA for this login
> """
> import ipaddress
>
> return False  #  temp use to disable mfa
>
> if len(request.args) > 0 and request.args[0] == "login":
> if auth_user.mfa_override and datetime.datetime.now() <= 
> auth_user.mfa_override:
> #  no mfa required if the user override is set   - we 
> added a field in auth_user to allow us to override if a user was 
> having 
> trouble or lost their phone or something
> return False
>
> qlf_networks = [
> "9.9.9.9/22",
> "9.9.9.0/24",
> "9.9.9.101/24",
> ]
>
> ip_list = []
> for range in qlf_networks:
> ip_list.extend(ipaddress.IPv4Network(unicode(range)))
>
> if ipaddress.IPv4Address(unicode(request.client)) in 
> ip_list:
> #  if the client address is in the local address list, 
> then do NOT require MFA so set to False
> return_value = False
>
> #  build the MFA Required group members
> # if return_value:
> # print(datetime.datetime.now())
> # ag = db(db.auth_group.role == "MFA Required 
> (web2py)").select().first()
> # if not ag:
> # ag = db.auth_group.insert("MFA Required 
> (web2py)")
> # for ou in db(
> # (db.auth_user.active == True)
> # | (
> # (db.auth_user.mfa_override == None)
> # & (db.auth_user.mfa_override <= 
> datetime.datetime.now())
> # )
> # ).select():
> # db.auth_membership.update_or_insert(user_id=
> ou.id, 

Re: [web2py] Re: administrator login with 2fa

[Clemens]

I don't and I that's why I (re)move these to a hidden folder on system 
level :-) What I need is to give customers the option to add new users by 
themselves. For that I've written a small controller under the control of 
2FA and so on.

Regards
Clemens


On Friday, September 1, 2023 at 7:40:19 PM UTC+2 Jim S wrote:

> I'm just curious
>
> Why do you need access to the admin/appadmin apps in a production 
> environment?
>
> I've never used them there.  I use in development, but never production
>
> -Jim
>
>
> On Friday, September 1, 2023 at 11:54:02 AM UTC-5 Clemens wrote:
>
>> Removing the admin app as well as the appadmin controllers should kill 
>> all options of administration. Move these to two to a folder away from 
>> web2py. And then you can still call https://.../admin/site or 
>> https://.../appadmin?
>>
>> On Friday, September 1, 2023 at 6:44:31 PM UTC+2 Ramos wrote:
>>
>>> yes i tried it on the admin app and it just does not work.
>>> :)
>>>
>>>
>>> Em sex., 1 de set. de 2023 às 16:53, Jim S  escreveu:
>>>
 So, are you trying to protect the 'admin' application with 2fa?

 If so, can you add the 2fa code to the admin app?

 I haven't tried this before

 On Friday, September 1, 2023 at 10:24:29 AM UTC-5 Ramos wrote:

> this admin
>
> https://mysite.com/admin
>
> Em sex., 1 de set. de 2023 às 16:08, Jim S  
> escreveu:
>
>> What does 'administrator password' mean to you?
>>
>> I'm not sure what you're referring to
>>
>> -Jim
>>
>> On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote:
>>
>>> Hello Jim 
>>> this line of code 
>>> *auth.settings.auth_two_factor_enabled = True*
>>> *does not protect the administrator password. Only created users.*
>>> *That is my question, how to force administrator to use 2fa ?*
>>> *regards*
>>> *António*
>>>
>>> Em sex., 1 de set. de 2023 às 15:00, Jim S  
>>> escreveu:
>>>
 Here is the code I wrote that only enforced 2fa for users outside 
 our local networks.

 There is some commented out code there that additionally allowed me 
 to specify users in a group so only that group was force to 2fa

 def _two_factor_required(auth_user):
 """
 check whether we need to enforce MFA on this login

We enforce MFA only on logins external to our network.

 Returns
 ---
 bool - enforce MFA
 - True means this login requires MFA
 - False means we will not enforce MFA for this login
 """
 import ipaddress

 return False  #  temp use to disable mfa

 if len(request.args) > 0 and request.args[0] == "login":
 if auth_user.mfa_override and datetime.datetime.now() <= 
 auth_user.mfa_override:
 #  no mfa required if the user override is set   - we 
 added a field in auth_user to allow us to override if a user was 
 having 
 trouble or lost their phone or something
 return False

 qlf_networks = [
 "9.9.9.9/22",
 "9.9.9.0/24",
 "9.9.9.101/24",
 ]

 ip_list = []
 for range in qlf_networks:
 ip_list.extend(ipaddress.IPv4Network(unicode(range)))

 if ipaddress.IPv4Address(unicode(request.client)) in 
 ip_list:
 #  if the client address is in the local address list, 
 then do NOT require MFA so set to False
 return_value = False

 #  build the MFA Required group members
 # if return_value:
 # print(datetime.datetime.now())
 # ag = db(db.auth_group.role == "MFA Required 
 (web2py)").select().first()
 # if not ag:
 # ag = db.auth_group.insert("MFA Required (web2py)")
 # for ou in db(
 # (db.auth_user.active == True)
 # | (
 # (db.auth_user.mfa_override == None)
 # & (db.auth_user.mfa_override <= 
 datetime.datetime.now())
 # )
 # ).select():
 # db.auth_membership.update_or_insert(user_id=ou.id, 
 group_id=ag)
 #
 # #  clear out any members that are currently exempt 
 from MFA
 # if ag:
 # for exempt_user in db(
 # (db.auth_user.mfa_override >= 
 datetime.datetime.now())
 # & (db.auth_user.active == True)

Re: [web2py] Re: administrator login with 2fa

[Jim S]

I'm just curious

Why do you need access to the admin/appadmin apps in a production 
environment?

I've never used them there.  I use in development, but never production

-Jim


On Friday, September 1, 2023 at 11:54:02 AM UTC-5 Clemens wrote:

> Removing the admin app as well as the appadmin controllers should kill all 
> options of administration. Move these to two to a folder away from web2py. 
> And then you can still call https://.../admin/site or https://.../appadmin?
>
> On Friday, September 1, 2023 at 6:44:31 PM UTC+2 Ramos wrote:
>
>> yes i tried it on the admin app and it just does not work.
>> :)
>>
>>
>> Em sex., 1 de set. de 2023 às 16:53, Jim S  escreveu:
>>
>>> So, are you trying to protect the 'admin' application with 2fa?
>>>
>>> If so, can you add the 2fa code to the admin app?
>>>
>>> I haven't tried this before
>>>
>>> On Friday, September 1, 2023 at 10:24:29 AM UTC-5 Ramos wrote:
>>>
 this admin

 https://mysite.com/admin

 Em sex., 1 de set. de 2023 às 16:08, Jim S  
 escreveu:

> What does 'administrator password' mean to you?
>
> I'm not sure what you're referring to
>
> -Jim
>
> On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote:
>
>> Hello Jim 
>> this line of code 
>> *auth.settings.auth_two_factor_enabled = True*
>> *does not protect the administrator password. Only created users.*
>> *That is my question, how to force administrator to use 2fa ?*
>> *regards*
>> *António*
>>
>> Em sex., 1 de set. de 2023 às 15:00, Jim S  
>> escreveu:
>>
>>> Here is the code I wrote that only enforced 2fa for users outside 
>>> our local networks.
>>>
>>> There is some commented out code there that additionally allowed me 
>>> to specify users in a group so only that group was force to 2fa
>>>
>>> def _two_factor_required(auth_user):
>>> """
>>> check whether we need to enforce MFA on this login
>>>
>>>We enforce MFA only on logins external to our network.
>>>
>>> Returns
>>> ---
>>> bool - enforce MFA
>>> - True means this login requires MFA
>>> - False means we will not enforce MFA for this login
>>> """
>>> import ipaddress
>>>
>>> return False  #  temp use to disable mfa
>>>
>>> if len(request.args) > 0 and request.args[0] == "login":
>>> if auth_user.mfa_override and datetime.datetime.now() <= 
>>> auth_user.mfa_override:
>>> #  no mfa required if the user override is set   - we 
>>> added a field in auth_user to allow us to override if a user was having 
>>> trouble or lost their phone or something
>>> return False
>>>
>>> qlf_networks = [
>>> "9.9.9.9/22",
>>> "9.9.9.0/24",
>>> "9.9.9.101/24",
>>> ]
>>>
>>> ip_list = []
>>> for range in qlf_networks:
>>> ip_list.extend(ipaddress.IPv4Network(unicode(range)))
>>>
>>> if ipaddress.IPv4Address(unicode(request.client)) in ip_list:
>>> #  if the client address is in the local address list, 
>>> then do NOT require MFA so set to False
>>> return_value = False
>>>
>>> #  build the MFA Required group members
>>> # if return_value:
>>> # print(datetime.datetime.now())
>>> # ag = db(db.auth_group.role == "MFA Required 
>>> (web2py)").select().first()
>>> # if not ag:
>>> # ag = db.auth_group.insert("MFA Required (web2py)")
>>> # for ou in db(
>>> # (db.auth_user.active == True)
>>> # | (
>>> # (db.auth_user.mfa_override == None)
>>> # & (db.auth_user.mfa_override <= 
>>> datetime.datetime.now())
>>> # )
>>> # ).select():
>>> # db.auth_membership.update_or_insert(user_id=ou.id, 
>>> group_id=ag)
>>> #
>>> # #  clear out any members that are currently exempt 
>>> from MFA
>>> # if ag:
>>> # for exempt_user in db(
>>> # (db.auth_user.mfa_override >= 
>>> datetime.datetime.now())
>>> # & (db.auth_user.active == True)
>>> # ).select():
>>> # db(
>>> # (db.auth_membership.group_id == ag.id)
>>> # & (db.auth_membership.user_id == 
>>> exempt_user.id)
>>> # ).delete()
>>> # db.commit()
>>> #
>>> # print(datetime.datetime.now())
>>> #
>>> # #  set to False to force web2py to check the 
>>> 

Re: [web2py] Re: administrator login with 2fa

[Clemens]

Removing the admin app as well as the appadmin controllers should kill all 
options of administration. Move these to two to a folder away from web2py. 
And then you can still call https://.../admin/site or https://.../appadmin?

On Friday, September 1, 2023 at 6:44:31 PM UTC+2 Ramos wrote:

> yes i tried it on the admin app and it just does not work.
> :)
>
>
> Em sex., 1 de set. de 2023 às 16:53, Jim S  escreveu:
>
>> So, are you trying to protect the 'admin' application with 2fa?
>>
>> If so, can you add the 2fa code to the admin app?
>>
>> I haven't tried this before
>>
>> On Friday, September 1, 2023 at 10:24:29 AM UTC-5 Ramos wrote:
>>
>>> this admin
>>>
>>> https://mysite.com/admin
>>>
>>> Em sex., 1 de set. de 2023 às 16:08, Jim S  escreveu:
>>>
 What does 'administrator password' mean to you?

 I'm not sure what you're referring to

 -Jim

 On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote:

> Hello Jim 
> this line of code 
> *auth.settings.auth_two_factor_enabled = True*
> *does not protect the administrator password. Only created users.*
> *That is my question, how to force administrator to use 2fa ?*
> *regards*
> *António*
>
> Em sex., 1 de set. de 2023 às 15:00, Jim S  
> escreveu:
>
>> Here is the code I wrote that only enforced 2fa for users outside our 
>> local networks.
>>
>> There is some commented out code there that additionally allowed me 
>> to specify users in a group so only that group was force to 2fa
>>
>> def _two_factor_required(auth_user):
>> """
>> check whether we need to enforce MFA on this login
>>
>>We enforce MFA only on logins external to our network.
>>
>> Returns
>> ---
>> bool - enforce MFA
>> - True means this login requires MFA
>> - False means we will not enforce MFA for this login
>> """
>> import ipaddress
>>
>> return False  #  temp use to disable mfa
>>
>> if len(request.args) > 0 and request.args[0] == "login":
>> if auth_user.mfa_override and datetime.datetime.now() <= 
>> auth_user.mfa_override:
>> #  no mfa required if the user override is set   - we 
>> added a field in auth_user to allow us to override if a user was having 
>> trouble or lost their phone or something
>> return False
>>
>> qlf_networks = [
>> "9.9.9.9/22",
>> "9.9.9.0/24",
>> "9.9.9.101/24",
>> ]
>>
>> ip_list = []
>> for range in qlf_networks:
>> ip_list.extend(ipaddress.IPv4Network(unicode(range)))
>>
>> if ipaddress.IPv4Address(unicode(request.client)) in ip_list:
>> #  if the client address is in the local address list, 
>> then do NOT require MFA so set to False
>> return_value = False
>>
>> #  build the MFA Required group members
>> # if return_value:
>> # print(datetime.datetime.now())
>> # ag = db(db.auth_group.role == "MFA Required 
>> (web2py)").select().first()
>> # if not ag:
>> # ag = db.auth_group.insert("MFA Required (web2py)")
>> # for ou in db(
>> # (db.auth_user.active == True)
>> # | (
>> # (db.auth_user.mfa_override == None)
>> # & (db.auth_user.mfa_override <= 
>> datetime.datetime.now())
>> # )
>> # ).select():
>> # db.auth_membership.update_or_insert(user_id=ou.id, 
>> group_id=ag)
>> #
>> # #  clear out any members that are currently exempt from 
>> MFA
>> # if ag:
>> # for exempt_user in db(
>> # (db.auth_user.mfa_override >= 
>> datetime.datetime.now())
>> # & (db.auth_user.active == True)
>> # ).select():
>> # db(
>> # (db.auth_membership.group_id == ag.id)
>> # & (db.auth_membership.user_id == 
>> exempt_user.id)
>> # ).delete()
>> # db.commit()
>> #
>> # print(datetime.datetime.now())
>> #
>> # #  set to False to force web2py to check the 
>> two_factor_authentication  group
>> # return_value = False
>>
>> That code is in db.py
>>
>> Then
>>
>> auth.settings.auth_two_factor_enabled = lambda user: 
>> _two_factor_required(user)
>> auth.messages.two_factor_comment = "QLF MFA - you have been sent a 
>> code"
>> auth.settings.two_factor_methods = [
>> 

Re: [web2py] Re: administrator login with 2fa

[António Ramos]

yes i tried it on the admin app and it just does not work.
:)


Em sex., 1 de set. de 2023 às 16:53, Jim S  escreveu:

> So, are you trying to protect the 'admin' application with 2fa?
>
> If so, can you add the 2fa code to the admin app?
>
> I haven't tried this before
>
> On Friday, September 1, 2023 at 10:24:29 AM UTC-5 Ramos wrote:
>
>> this admin
>>
>> https://mysite.com/admin
>>
>> Em sex., 1 de set. de 2023 às 16:08, Jim S  escreveu:
>>
>>> What does 'administrator password' mean to you?
>>>
>>> I'm not sure what you're referring to
>>>
>>> -Jim
>>>
>>> On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote:
>>>
 Hello Jim
 this line of code
 *auth.settings.auth_two_factor_enabled = True*
 *does not protect the administrator password. Only created users.*
 *That is my question, how to force administrator to use 2fa ?*
 *regards*
 *António*

 Em sex., 1 de set. de 2023 às 15:00, Jim S 
 escreveu:

> Here is the code I wrote that only enforced 2fa for users outside our
> local networks.
>
> There is some commented out code there that additionally allowed me to
> specify users in a group so only that group was force to 2fa
>
> def _two_factor_required(auth_user):
> """
> check whether we need to enforce MFA on this login
>
>We enforce MFA only on logins external to our network.
>
> Returns
> ---
> bool - enforce MFA
> - True means this login requires MFA
> - False means we will not enforce MFA for this login
> """
> import ipaddress
>
> return False  #  temp use to disable mfa
>
> if len(request.args) > 0 and request.args[0] == "login":
> if auth_user.mfa_override and datetime.datetime.now() <=
> auth_user.mfa_override:
> #  no mfa required if the user override is set   - we
> added a field in auth_user to allow us to override if a user was having
> trouble or lost their phone or something
> return False
>
> qlf_networks = [
> "9.9.9.9/22",
> "9.9.9.0/24",
> "9.9.9.101/24",
> ]
>
> ip_list = []
> for range in qlf_networks:
> ip_list.extend(ipaddress.IPv4Network(unicode(range)))
>
> if ipaddress.IPv4Address(unicode(request.client)) in ip_list:
> #  if the client address is in the local address list,
> then do NOT require MFA so set to False
> return_value = False
>
> #  build the MFA Required group members
> # if return_value:
> # print(datetime.datetime.now())
> # ag = db(db.auth_group.role == "MFA Required
> (web2py)").select().first()
> # if not ag:
> # ag = db.auth_group.insert("MFA Required (web2py)")
> # for ou in db(
> # (db.auth_user.active == True)
> # | (
> # (db.auth_user.mfa_override == None)
> # & (db.auth_user.mfa_override <=
> datetime.datetime.now())
> # )
> # ).select():
> # db.auth_membership.update_or_insert(user_id=ou.id,
> group_id=ag)
> #
> # #  clear out any members that are currently exempt from
> MFA
> # if ag:
> # for exempt_user in db(
> # (db.auth_user.mfa_override >=
> datetime.datetime.now())
> # & (db.auth_user.active == True)
> # ).select():
> # db(
> # (db.auth_membership.group_id == ag.id)
> # & (db.auth_membership.user_id ==
> exempt_user.id)
> # ).delete()
> # db.commit()
> #
> # print(datetime.datetime.now())
> #
> # #  set to False to force web2py to check the
> two_factor_authentication  group
> # return_value = False
>
> That code is in db.py
>
> Then
>
> auth.settings.auth_two_factor_enabled = lambda user:
> _two_factor_required(user)
> auth.messages.two_factor_comment = "QLF MFA - you have been sent a
> code"
> auth.settings.two_factor_methods = [
> lambda user, auth_two_factor: _send_sms(user, auth_two_factor)
> ]
>
> My _send_sms code built and sms and sent it via Twilio or RingCentral
>
> I wrote this code, but then we ended up not implementing.  The web2py
> code is going away for us.  All the same concepts work in py4web (nudge
> wink wink)
>
> -Jim
>
>
>
> On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote:
>
>> 

Re: [web2py] Re: administrator login with 2fa

[Clemens]

Sorry for not answering any earlier - too much work. Well, in my 
application (which is in production) I've solved the problem as follows: 
I've written a controller fully under my control (including 2FA and groups) 
with just the administration functions I need (users, groups and a rights 
system on the business objects of my application). On all productive 
instances (compiled) I've just moved the controllers of appadmin 
(controllers.appadmin.* ) as well as the admin app to a hidden folder - if 
needed I can move them back.

That's how it works for me. If your interested in this solution, just say 
"sounds interesting to me ;-)" and we can have a further conversation on 
the details.

@Jim: Good to see, that your still in. My plan is to move in 2024 to py4web 
and have more contact to the community again. web2py is getting more and 
more a lonely path ;-)

Regards from Germany
Clemens

On Friday, September 1, 2023 at 5:53:34 PM UTC+2 Jim S wrote:

> So, are you trying to protect the 'admin' application with 2fa?
>
> If so, can you add the 2fa code to the admin app?
>
> I haven't tried this before
>
> On Friday, September 1, 2023 at 10:24:29 AM UTC-5 Ramos wrote:
>
>> this admin
>>
>> https://mysite.com/admin
>>
>> Em sex., 1 de set. de 2023 às 16:08, Jim S  escreveu:
>>
>>> What does 'administrator password' mean to you?
>>>
>>> I'm not sure what you're referring to
>>>
>>> -Jim
>>>
>>> On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote:
>>>
 Hello Jim 
 this line of code 
 *auth.settings.auth_two_factor_enabled = True*
 *does not protect the administrator password. Only created users.*
 *That is my question, how to force administrator to use 2fa ?*
 *regards*
 *António*

 Em sex., 1 de set. de 2023 às 15:00, Jim S  
 escreveu:

> Here is the code I wrote that only enforced 2fa for users outside our 
> local networks.
>
> There is some commented out code there that additionally allowed me to 
> specify users in a group so only that group was force to 2fa
>
> def _two_factor_required(auth_user):
> """
> check whether we need to enforce MFA on this login
>
>We enforce MFA only on logins external to our network.
>
> Returns
> ---
> bool - enforce MFA
> - True means this login requires MFA
> - False means we will not enforce MFA for this login
> """
> import ipaddress
>
> return False  #  temp use to disable mfa
>
> if len(request.args) > 0 and request.args[0] == "login":
> if auth_user.mfa_override and datetime.datetime.now() <= 
> auth_user.mfa_override:
> #  no mfa required if the user override is set   - we 
> added a field in auth_user to allow us to override if a user was having 
> trouble or lost their phone or something
> return False
>
> qlf_networks = [
> "9.9.9.9/22",
> "9.9.9.0/24",
> "9.9.9.101/24",
> ]
>
> ip_list = []
> for range in qlf_networks:
> ip_list.extend(ipaddress.IPv4Network(unicode(range)))
>
> if ipaddress.IPv4Address(unicode(request.client)) in ip_list:
> #  if the client address is in the local address list, 
> then do NOT require MFA so set to False
> return_value = False
>
> #  build the MFA Required group members
> # if return_value:
> # print(datetime.datetime.now())
> # ag = db(db.auth_group.role == "MFA Required 
> (web2py)").select().first()
> # if not ag:
> # ag = db.auth_group.insert("MFA Required (web2py)")
> # for ou in db(
> # (db.auth_user.active == True)
> # | (
> # (db.auth_user.mfa_override == None)
> # & (db.auth_user.mfa_override <= 
> datetime.datetime.now())
> # )
> # ).select():
> # db.auth_membership.update_or_insert(user_id=ou.id, 
> group_id=ag)
> #
> # #  clear out any members that are currently exempt from 
> MFA
> # if ag:
> # for exempt_user in db(
> # (db.auth_user.mfa_override >= 
> datetime.datetime.now())
> # & (db.auth_user.active == True)
> # ).select():
> # db(
> # (db.auth_membership.group_id == ag.id)
> # & (db.auth_membership.user_id == 
> exempt_user.id)
> # ).delete()
> # db.commit()
> #
> # print(datetime.datetime.now())
> #
> # #  set 

Re: [web2py] Re: administrator login with 2fa

[Jim S]

So, are you trying to protect the 'admin' application with 2fa?

If so, can you add the 2fa code to the admin app?

I haven't tried this before

On Friday, September 1, 2023 at 10:24:29 AM UTC-5 Ramos wrote:

> this admin
>
> https://mysite.com/admin
>
> Em sex., 1 de set. de 2023 às 16:08, Jim S  escreveu:
>
>> What does 'administrator password' mean to you?
>>
>> I'm not sure what you're referring to
>>
>> -Jim
>>
>> On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote:
>>
>>> Hello Jim 
>>> this line of code 
>>> *auth.settings.auth_two_factor_enabled = True*
>>> *does not protect the administrator password. Only created users.*
>>> *That is my question, how to force administrator to use 2fa ?*
>>> *regards*
>>> *António*
>>>
>>> Em sex., 1 de set. de 2023 às 15:00, Jim S  escreveu:
>>>
 Here is the code I wrote that only enforced 2fa for users outside our 
 local networks.

 There is some commented out code there that additionally allowed me to 
 specify users in a group so only that group was force to 2fa

 def _two_factor_required(auth_user):
 """
 check whether we need to enforce MFA on this login

We enforce MFA only on logins external to our network.

 Returns
 ---
 bool - enforce MFA
 - True means this login requires MFA
 - False means we will not enforce MFA for this login
 """
 import ipaddress

 return False  #  temp use to disable mfa

 if len(request.args) > 0 and request.args[0] == "login":
 if auth_user.mfa_override and datetime.datetime.now() <= 
 auth_user.mfa_override:
 #  no mfa required if the user override is set   - we added 
 a field in auth_user to allow us to override if a user was having trouble 
 or lost their phone or something
 return False

 qlf_networks = [
 "9.9.9.9/22",
 "9.9.9.0/24",
 "9.9.9.101/24",
 ]

 ip_list = []
 for range in qlf_networks:
 ip_list.extend(ipaddress.IPv4Network(unicode(range)))

 if ipaddress.IPv4Address(unicode(request.client)) in ip_list:
 #  if the client address is in the local address list, then 
 do NOT require MFA so set to False
 return_value = False

 #  build the MFA Required group members
 # if return_value:
 # print(datetime.datetime.now())
 # ag = db(db.auth_group.role == "MFA Required 
 (web2py)").select().first()
 # if not ag:
 # ag = db.auth_group.insert("MFA Required (web2py)")
 # for ou in db(
 # (db.auth_user.active == True)
 # | (
 # (db.auth_user.mfa_override == None)
 # & (db.auth_user.mfa_override <= 
 datetime.datetime.now())
 # )
 # ).select():
 # db.auth_membership.update_or_insert(user_id=ou.id, 
 group_id=ag)
 #
 # #  clear out any members that are currently exempt from 
 MFA
 # if ag:
 # for exempt_user in db(
 # (db.auth_user.mfa_override >= 
 datetime.datetime.now())
 # & (db.auth_user.active == True)
 # ).select():
 # db(
 # (db.auth_membership.group_id == ag.id)
 # & (db.auth_membership.user_id == 
 exempt_user.id)
 # ).delete()
 # db.commit()
 #
 # print(datetime.datetime.now())
 #
 # #  set to False to force web2py to check the 
 two_factor_authentication  group
 # return_value = False

 That code is in db.py

 Then

 auth.settings.auth_two_factor_enabled = lambda user: 
 _two_factor_required(user)
 auth.messages.two_factor_comment = "QLF MFA - you have been sent a code"
 auth.settings.two_factor_methods = [
 lambda user, auth_two_factor: _send_sms(user, auth_two_factor)
 ]

 My _send_sms code built and sms and sent it via Twilio or RingCentral

 I wrote this code, but then we ended up not implementing.  The web2py 
 code is going away for us.  All the same concepts work in py4web (nudge 
 wink wink)

 -Jim



 On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote:

> Anyone can help me ?
>
> Em qua., 30 de ago. de 2023 às 10:14, António Ramos <
> ramst...@gmail.com> escreveu:
>
>> in other words, how do i protect the administrator password? it does 
>> not have a username , just a password. This is 

Re: [web2py] Re: administrator login with 2fa

[António Ramos]

this admin

https://mysite.com/admin

Em sex., 1 de set. de 2023 às 16:08, Jim S  escreveu:

> What does 'administrator password' mean to you?
>
> I'm not sure what you're referring to
>
> -Jim
>
> On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote:
>
>> Hello Jim
>> this line of code
>> *auth.settings.auth_two_factor_enabled = True*
>> *does not protect the administrator password. Only created users.*
>> *That is my question, how to force administrator to use 2fa ?*
>> *regards*
>> *António*
>>
>> Em sex., 1 de set. de 2023 às 15:00, Jim S  escreveu:
>>
>>> Here is the code I wrote that only enforced 2fa for users outside our
>>> local networks.
>>>
>>> There is some commented out code there that additionally allowed me to
>>> specify users in a group so only that group was force to 2fa
>>>
>>> def _two_factor_required(auth_user):
>>> """
>>> check whether we need to enforce MFA on this login
>>>
>>>We enforce MFA only on logins external to our network.
>>>
>>> Returns
>>> ---
>>> bool - enforce MFA
>>> - True means this login requires MFA
>>> - False means we will not enforce MFA for this login
>>> """
>>> import ipaddress
>>>
>>> return False  #  temp use to disable mfa
>>>
>>> if len(request.args) > 0 and request.args[0] == "login":
>>> if auth_user.mfa_override and datetime.datetime.now() <=
>>> auth_user.mfa_override:
>>> #  no mfa required if the user override is set   - we added
>>> a field in auth_user to allow us to override if a user was having trouble
>>> or lost their phone or something
>>> return False
>>>
>>> qlf_networks = [
>>> "9.9.9.9/22",
>>> "9.9.9.0/24",
>>> "9.9.9.101/24",
>>> ]
>>>
>>> ip_list = []
>>> for range in qlf_networks:
>>> ip_list.extend(ipaddress.IPv4Network(unicode(range)))
>>>
>>> if ipaddress.IPv4Address(unicode(request.client)) in ip_list:
>>> #  if the client address is in the local address list, then
>>> do NOT require MFA so set to False
>>> return_value = False
>>>
>>> #  build the MFA Required group members
>>> # if return_value:
>>> # print(datetime.datetime.now())
>>> # ag = db(db.auth_group.role == "MFA Required
>>> (web2py)").select().first()
>>> # if not ag:
>>> # ag = db.auth_group.insert("MFA Required (web2py)")
>>> # for ou in db(
>>> # (db.auth_user.active == True)
>>> # | (
>>> # (db.auth_user.mfa_override == None)
>>> # & (db.auth_user.mfa_override <=
>>> datetime.datetime.now())
>>> # )
>>> # ).select():
>>> # db.auth_membership.update_or_insert(user_id=ou.id,
>>> group_id=ag)
>>> #
>>> # #  clear out any members that are currently exempt from MFA
>>> # if ag:
>>> # for exempt_user in db(
>>> # (db.auth_user.mfa_override >=
>>> datetime.datetime.now())
>>> # & (db.auth_user.active == True)
>>> # ).select():
>>> # db(
>>> # (db.auth_membership.group_id == ag.id)
>>> # & (db.auth_membership.user_id ==
>>> exempt_user.id)
>>> # ).delete()
>>> # db.commit()
>>> #
>>> # print(datetime.datetime.now())
>>> #
>>> # #  set to False to force web2py to check the
>>> two_factor_authentication  group
>>> # return_value = False
>>>
>>> That code is in db.py
>>>
>>> Then
>>>
>>> auth.settings.auth_two_factor_enabled = lambda user:
>>> _two_factor_required(user)
>>> auth.messages.two_factor_comment = "QLF MFA - you have been sent a code"
>>> auth.settings.two_factor_methods = [
>>> lambda user, auth_two_factor: _send_sms(user, auth_two_factor)
>>> ]
>>>
>>> My _send_sms code built and sms and sent it via Twilio or RingCentral
>>>
>>> I wrote this code, but then we ended up not implementing.  The web2py
>>> code is going away for us.  All the same concepts work in py4web (nudge
>>> wink wink)
>>>
>>> -Jim
>>>
>>>
>>>
>>> On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote:
>>>
 Anyone can help me ?

 Em qua., 30 de ago. de 2023 às 10:14, António Ramos 
 escreveu:

> in other words, how do i protect the administrator password? it does
> not have a username , just a password. This is scary :)
>
>
> Em ter., 29 de ago. de 2023 às 19:44, António Ramos <
> ramst...@gmail.com> escreveu:
>
>> But that is for everyone, i just want to start with users with admin
>> powers
>>
>> Clemens  escreveu em ter., 29/08/2023
>> às 18:25 :
>>
>>> Try enabling 2FA via the following setting, since this is for all
>>> users:
>>> 

Re: [web2py] Re: administrator login with 2fa

[Jim S]

What does 'administrator password' mean to you?

I'm not sure what you're referring to

-Jim

On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote:

> Hello Jim 
> this line of code 
> *auth.settings.auth_two_factor_enabled = True*
> *does not protect the administrator password. Only created users.*
> *That is my question, how to force administrator to use 2fa ?*
> *regards*
> *António*
>
> Em sex., 1 de set. de 2023 às 15:00, Jim S  escreveu:
>
>> Here is the code I wrote that only enforced 2fa for users outside our 
>> local networks.
>>
>> There is some commented out code there that additionally allowed me to 
>> specify users in a group so only that group was force to 2fa
>>
>> def _two_factor_required(auth_user):
>> """
>> check whether we need to enforce MFA on this login
>>
>>We enforce MFA only on logins external to our network.
>>
>> Returns
>> ---
>> bool - enforce MFA
>> - True means this login requires MFA
>> - False means we will not enforce MFA for this login
>> """
>> import ipaddress
>>
>> return False  #  temp use to disable mfa
>>
>> if len(request.args) > 0 and request.args[0] == "login":
>> if auth_user.mfa_override and datetime.datetime.now() <= 
>> auth_user.mfa_override:
>> #  no mfa required if the user override is set   - we added a 
>> field in auth_user to allow us to override if a user was having trouble or 
>> lost their phone or something
>> return False
>>
>> qlf_networks = [
>> "9.9.9.9/22",
>> "9.9.9.0/24",
>> "9.9.9.101/24",
>> ]
>>
>> ip_list = []
>> for range in qlf_networks:
>> ip_list.extend(ipaddress.IPv4Network(unicode(range)))
>>
>> if ipaddress.IPv4Address(unicode(request.client)) in ip_list:
>> #  if the client address is in the local address list, then 
>> do NOT require MFA so set to False
>> return_value = False
>>
>> #  build the MFA Required group members
>> # if return_value:
>> # print(datetime.datetime.now())
>> # ag = db(db.auth_group.role == "MFA Required 
>> (web2py)").select().first()
>> # if not ag:
>> # ag = db.auth_group.insert("MFA Required (web2py)")
>> # for ou in db(
>> # (db.auth_user.active == True)
>> # | (
>> # (db.auth_user.mfa_override == None)
>> # & (db.auth_user.mfa_override <= 
>> datetime.datetime.now())
>> # )
>> # ).select():
>> # db.auth_membership.update_or_insert(user_id=ou.id, 
>> group_id=ag)
>> #
>> # #  clear out any members that are currently exempt from MFA
>> # if ag:
>> # for exempt_user in db(
>> # (db.auth_user.mfa_override >= 
>> datetime.datetime.now())
>> # & (db.auth_user.active == True)
>> # ).select():
>> # db(
>> # (db.auth_membership.group_id == ag.id)
>> # & (db.auth_membership.user_id == exempt_user.id
>> )
>> # ).delete()
>> # db.commit()
>> #
>> # print(datetime.datetime.now())
>> #
>> # #  set to False to force web2py to check the 
>> two_factor_authentication  group
>> # return_value = False
>>
>> That code is in db.py
>>
>> Then
>>
>> auth.settings.auth_two_factor_enabled = lambda user: 
>> _two_factor_required(user)
>> auth.messages.two_factor_comment = "QLF MFA - you have been sent a code"
>> auth.settings.two_factor_methods = [
>> lambda user, auth_two_factor: _send_sms(user, auth_two_factor)
>> ]
>>
>> My _send_sms code built and sms and sent it via Twilio or RingCentral
>>
>> I wrote this code, but then we ended up not implementing.  The web2py 
>> code is going away for us.  All the same concepts work in py4web (nudge 
>> wink wink)
>>
>> -Jim
>>
>>
>>
>> On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote:
>>
>>> Anyone can help me ?
>>>
>>> Em qua., 30 de ago. de 2023 às 10:14, António Ramos  
>>> escreveu:
>>>
 in other words, how do i protect the administrator password? it does 
 not have a username , just a password. This is scary :)


 Em ter., 29 de ago. de 2023 às 19:44, António Ramos  
 escreveu:

> But that is for everyone, i just want to start with users with admin 
> powers 
>
> Clemens  escreveu em ter., 29/08/2023 
> às 18:25 :
>
>> Try enabling 2FA via the following setting, since this is for all 
>> users:
>> *auth.settings.auth_two_factor_enabled = True*
>>
>> Regards
>> Clemens
>>
>> On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote:
>>
>>> i just activated the two step auth with this 
>>>
>>> 

Re: [web2py] Re: administrator login with 2fa

[António Ramos]

Hello Jim
this line of code
*auth.settings.auth_two_factor_enabled = True*
*does not protect the administrator password. Only created users.*
*That is my question, how to force administrator to use 2fa ?*
*regards*
*António*

Em sex., 1 de set. de 2023 às 15:00, Jim S  escreveu:

> Here is the code I wrote that only enforced 2fa for users outside our
> local networks.
>
> There is some commented out code there that additionally allowed me to
> specify users in a group so only that group was force to 2fa
>
> def _two_factor_required(auth_user):
> """
> check whether we need to enforce MFA on this login
>
>We enforce MFA only on logins external to our network.
>
> Returns
> ---
> bool - enforce MFA
> - True means this login requires MFA
> - False means we will not enforce MFA for this login
> """
> import ipaddress
>
> return False  #  temp use to disable mfa
>
> if len(request.args) > 0 and request.args[0] == "login":
> if auth_user.mfa_override and datetime.datetime.now() <=
> auth_user.mfa_override:
> #  no mfa required if the user override is set   - we added a
> field in auth_user to allow us to override if a user was having trouble or
> lost their phone or something
> return False
>
> qlf_networks = [
> "9.9.9.9/22",
> "9.9.9.0/24",
> "9.9.9.101/24",
> ]
>
> ip_list = []
> for range in qlf_networks:
> ip_list.extend(ipaddress.IPv4Network(unicode(range)))
>
> if ipaddress.IPv4Address(unicode(request.client)) in ip_list:
> #  if the client address is in the local address list, then do
> NOT require MFA so set to False
> return_value = False
>
> #  build the MFA Required group members
> # if return_value:
> # print(datetime.datetime.now())
> # ag = db(db.auth_group.role == "MFA Required
> (web2py)").select().first()
> # if not ag:
> # ag = db.auth_group.insert("MFA Required (web2py)")
> # for ou in db(
> # (db.auth_user.active == True)
> # | (
> # (db.auth_user.mfa_override == None)
> # & (db.auth_user.mfa_override <=
> datetime.datetime.now())
> # )
> # ).select():
> # db.auth_membership.update_or_insert(user_id=ou.id,
> group_id=ag)
> #
> # #  clear out any members that are currently exempt from MFA
> # if ag:
> # for exempt_user in db(
> # (db.auth_user.mfa_override >=
> datetime.datetime.now())
> # & (db.auth_user.active == True)
> # ).select():
> # db(
> # (db.auth_membership.group_id == ag.id)
> # & (db.auth_membership.user_id == exempt_user.id)
> # ).delete()
> # db.commit()
> #
> # print(datetime.datetime.now())
> #
> # #  set to False to force web2py to check the
> two_factor_authentication  group
> # return_value = False
>
> That code is in db.py
>
> Then
>
> auth.settings.auth_two_factor_enabled = lambda user:
> _two_factor_required(user)
> auth.messages.two_factor_comment = "QLF MFA - you have been sent a code"
> auth.settings.two_factor_methods = [
> lambda user, auth_two_factor: _send_sms(user, auth_two_factor)
> ]
>
> My _send_sms code built and sms and sent it via Twilio or RingCentral
>
> I wrote this code, but then we ended up not implementing.  The web2py code
> is going away for us.  All the same concepts work in py4web (nudge wink
> wink)
>
> -Jim
>
>
>
> On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote:
>
>> Anyone can help me ?
>>
>> Em qua., 30 de ago. de 2023 às 10:14, António Ramos 
>> escreveu:
>>
>>> in other words, how do i protect the administrator password? it does not
>>> have a username , just a password. This is scary :)
>>>
>>>
>>> Em ter., 29 de ago. de 2023 às 19:44, António Ramos 
>>> escreveu:
>>>
 But that is for everyone, i just want to start with users with admin
 powers

 Clemens  escreveu em ter., 29/08/2023 às
 18:25 :

> Try enabling 2FA via the following setting, since this is for all
> users:
> *auth.settings.auth_two_factor_enabled = True*
>
> Regards
> Clemens
>
> On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote:
>
>> i just activated the two step auth with this
>>
>> auth.settings.two_factor_authentication_group = "auth2step"
>>
>>
>> but now how do i include the administrator user  ?
>>
>> regards
>> António
>>
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - 

Re: [web2py] Re: administrator login with 2fa

[Jim S]

Here is the code I wrote that only enforced 2fa for users outside our local 
networks.

There is some commented out code there that additionally allowed me to 
specify users in a group so only that group was force to 2fa

def _two_factor_required(auth_user):
"""
check whether we need to enforce MFA on this login

   We enforce MFA only on logins external to our network.

Returns
---
bool - enforce MFA
- True means this login requires MFA
- False means we will not enforce MFA for this login
"""
import ipaddress

return False  #  temp use to disable mfa

if len(request.args) > 0 and request.args[0] == "login":
if auth_user.mfa_override and datetime.datetime.now() <= 
auth_user.mfa_override:
#  no mfa required if the user override is set   - we added a 
field in auth_user to allow us to override if a user was having trouble or 
lost their phone or something
return False

qlf_networks = [
"9.9.9.9/22",
"9.9.9.0/24",
"9.9.9.101/24",
]

ip_list = []
for range in qlf_networks:
ip_list.extend(ipaddress.IPv4Network(unicode(range)))

if ipaddress.IPv4Address(unicode(request.client)) in ip_list:
#  if the client address is in the local address list, then do 
NOT require MFA so set to False
return_value = False

#  build the MFA Required group members
# if return_value:
# print(datetime.datetime.now())
# ag = db(db.auth_group.role == "MFA Required 
(web2py)").select().first()
# if not ag:
# ag = db.auth_group.insert("MFA Required (web2py)")
# for ou in db(
# (db.auth_user.active == True)
# | (
# (db.auth_user.mfa_override == None)
# & (db.auth_user.mfa_override <= 
datetime.datetime.now())
# )
# ).select():
# db.auth_membership.update_or_insert(user_id=ou.id, 
group_id=ag)
#
# #  clear out any members that are currently exempt from MFA
# if ag:
# for exempt_user in db(
# (db.auth_user.mfa_override >= datetime.datetime.now())
# & (db.auth_user.active == True)
# ).select():
# db(
# (db.auth_membership.group_id == ag.id)
# & (db.auth_membership.user_id == exempt_user.id)
# ).delete()
# db.commit()
#
# print(datetime.datetime.now())
#
# #  set to False to force web2py to check the 
two_factor_authentication  group
# return_value = False

That code is in db.py

Then

auth.settings.auth_two_factor_enabled = lambda user: 
_two_factor_required(user)
auth.messages.two_factor_comment = "QLF MFA - you have been sent a code"
auth.settings.two_factor_methods = [
lambda user, auth_two_factor: _send_sms(user, auth_two_factor)
]

My _send_sms code built and sms and sent it via Twilio or RingCentral

I wrote this code, but then we ended up not implementing.  The web2py code 
is going away for us.  All the same concepts work in py4web (nudge wink 
wink)

-Jim



On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote:

> Anyone can help me ?
>
> Em qua., 30 de ago. de 2023 às 10:14, António Ramos  
> escreveu:
>
>> in other words, how do i protect the administrator password? it does not 
>> have a username , just a password. This is scary :)
>>
>>
>> Em ter., 29 de ago. de 2023 às 19:44, António Ramos  
>> escreveu:
>>
>>> But that is for everyone, i just want to start with users with admin 
>>> powers 
>>>
>>> Clemens  escreveu em ter., 29/08/2023 às 
>>> 18:25 :
>>>
 Try enabling 2FA via the following setting, since this is for all users:
 *auth.settings.auth_two_factor_enabled = True*

 Regards
 Clemens

 On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote:

> i just activated the two step auth with this 
>
> auth.settings.two_factor_authentication_group = "auth2step"
>
>
> but now how do i include the administrator user  ?
>
> regards
> António
>
 -- 
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/web2py (Source code)
 - https://code.google.com/p/web2py/issues/list (Report Issues)
 --- 
 You received this message because you are subscribed to the Google 
 Groups "web2py-users" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to web2py+un...@googlegroups.com.
 To view this discussion on the web visit 
 https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com
  
 

Re: [web2py] Re: administrator login with 2fa

[António Ramos]

Anyone can help me ?

Em qua., 30 de ago. de 2023 às 10:14, António Ramos 
escreveu:

> in other words, how do i protect the administrator password? it does not
> have a username , just a password. This is scary :)
>
>
> Em ter., 29 de ago. de 2023 às 19:44, António Ramos 
> escreveu:
>
>> But that is for everyone, i just want to start with users with admin
>> powers
>>
>> Clemens  escreveu em ter., 29/08/2023
>> às 18:25 :
>>
>>> Try enabling 2FA via the following setting, since this is for all users:
>>> *auth.settings.auth_two_factor_enabled = True*
>>>
>>> Regards
>>> Clemens
>>>
>>> On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote:
>>>
 i just activated the two step auth with this

 auth.settings.two_factor_authentication_group = "auth2step"


 but now how do i include the administrator user  ?

 regards
 António

>>> --
>>> Resources:
>>> - http://web2py.com
>>> - http://web2py.com/book (Documentation)
>>> - http://github.com/web2py/web2py (Source code)
>>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "web2py-users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to web2py+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com
>>> 
>>> .
>>>
>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/CAEM0BxPnGmCsiRVSKU8FFfmxpwFfdjb%2BOi-FckKXVEVCq7HWpg%40mail.gmail.com.

Re: [web2py] Re: administrator login with 2fa

[António Ramos]

in other words, how do i protect the administrator password? it does not
have a username , just a password. This is scary :)


Em ter., 29 de ago. de 2023 às 19:44, António Ramos 
escreveu:

> But that is for everyone, i just want to start with users with admin
> powers
>
> Clemens  escreveu em ter., 29/08/2023
> às 18:25 :
>
>> Try enabling 2FA via the following setting, since this is for all users:
>> *auth.settings.auth_two_factor_enabled = True*
>>
>> Regards
>> Clemens
>>
>> On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote:
>>
>>> i just activated the two step auth with this
>>>
>>> auth.settings.two_factor_authentication_group = "auth2step"
>>>
>>>
>>> but now how do i include the administrator user  ?
>>>
>>> regards
>>> António
>>>
>> --
>> Resources:
>> - http://web2py.com
>> - http://web2py.com/book (Documentation)
>> - http://github.com/web2py/web2py (Source code)
>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "web2py-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to web2py+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com
>> 
>> .
>>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/CAEM0BxP_Gncp4AUtwB1FVtK-kv2CBpf%2B83yLG2a_dpA%3D8m%2Bf9A%40mail.gmail.com.

Re: [web2py] Re: administrator login with 2fa

[António Ramos]

But that is for everyone, i just want to start with users with admin powers

Clemens  escreveu em ter., 29/08/2023 às
18:25 :

> Try enabling 2FA via the following setting, since this is for all users:
> *auth.settings.auth_two_factor_enabled = True*
>
> Regards
> Clemens
>
> On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote:
>
>> i just activated the two step auth with this
>>
>> auth.settings.two_factor_authentication_group = "auth2step"
>>
>>
>> but now how do i include the administrator user  ?
>>
>> regards
>> António
>>
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to web2py+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com
> 
> .
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/CAEM0BxMe9qqt_4cAhj0HRzC%2BaS6yQ%3DAx3XEksYJGcE%3DFh7wV%3Dg%40mail.gmail.com.