Some of this is now done.
Please help test it:
[X] Enable and disable
plugins
[X} Enable and disable
actions
[X] Require passwords of various
complexity
[x] Force logout after x hours
(WIP)
[X] No re-use of the last n
passwords
[ ] Force new password on first login
(WIP)
[ ] Two-factor authentication for users with 'administrator'
access
[ ] Lock account after x failed login
attempts.
[ ] Force new password every x days.
You need to copy this form _scaffold/common.py
auth = Auth(session, db, define_tables=False)
auth.use_username = True
auth.registration_requires_confirmation = settings.VERIFY_EMAIL
auth.registration_requires_approval = settings.REQUIRES_APPROVAL
auth.allowed_actions = ['all']
auth.login_expiration_time = 3600
auth.password_complexity = {"entropy": 50}
auth.block_previous_password_num = 8
auth.define_tables()
And you also need the new _scaffold/static/components/auth.js and auth.html
copied into your own app
Instead of a minimum complexity (entropy) you ca specify a min length,
number of required upper/lower case chars, and number special chars.
auth.password_complexity = {"min": 8, "upper": 1, "lower": 1, "number": 1,
"special":1}
Personally I think this is EVIL. This is against the most recent NIST
recommendations. An entropy of 50 is better. It forces long passwords that
are easier to remember.
On Monday, 30 March 2020 07:42:42 UTC-7, Peter wrote:
>
> This is exactly what I need/ do. One vote for this request.
>
> субота, 28. март 2020. 21.55.06 UTC+1, Paolo Caruccio је написао/ла:
>>
>> In my case I only need login and logout.
>> The creation of an account will be done by other users with privileges
>> established by the administrators. The modification of the profile will
>> also be done partially by the user himself (change password, change email,
>> add / change personal data etc) who has the account enabled and is already
>> logged in.
>> Obviously I can delete all links and specific functions from the
>> frontend, as well as I can require to approve any registration made from
>> the outside but it would be more secure to also do a server-side prevention
>> by disabling actions that do not need.
>>
>>
>> Translated with www.DeepL.com/Translator (free version)
>>
>> Il giorno sabato 28 marzo 2020 20:30:48 UTC+1, Massimo Di Pierro ha
>> scritto:
>>>
>>> not possible yet. I can implement it easily but I would like to
>>> understand some use cases.
>>>
>>> On Saturday, 28 March 2020 10:12:32 UTC-7, Paolo Caruccio wrote:
>>>>
>>>> In py4web is there any way to disable some auth actions? I can't find
>>>> anything in the code about this.
>>>>
>>>> In web2py this is possible via auth.settings.action_disabled
>>>>
>>>> For example:
>>>>
>>>> auth.settings.action_disabled=['register']
>>>>
>>>> prevents the "register" action from working.
>>>>
>>>> Tank you.
>>>>
>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/web2py/df06b8c4-4276-4284-be6e-17de5e45c277%40googlegroups.com.
