Hello Jim
this line of code
*auth.settings.auth_two_factor_enabled = True*
*does not protect the administrator password. Only created users.*
*That is my question, how to force administrator to use 2fa ?*
*regards*
*António*
Em sex., 1 de set. de 2023 às 15:00, Jim S <ato.st...@gmail.com> escreveu:
> Here is the code I wrote that only enforced 2fa for users outside our
> local networks.
>
> There is some commented out code there that additionally allowed me to
> specify users in a group so only that group was force to 2fa
>
> def _two_factor_required(auth_user):
> """
> check whether we need to enforce MFA on this login
>
> We enforce MFA only on logins external to our network.
>
> Returns
> -------
> bool - enforce MFA
> - True means this login requires MFA
> - False means we will not enforce MFA for this login
> """
> import ipaddress
>
> return False # temp use to disable mfa
>
> if len(request.args) > 0 and request.args[0] == "login":
> if auth_user.mfa_override and datetime.datetime.now() <=
> auth_user.mfa_override:
> # no mfa required if the user override is set - we added a
> field in auth_user to allow us to override if a user was having trouble or
> lost their phone or something
> return False
>
> qlf_networks = [
> "9.9.9.9/22",
> "9.9.9.0/24",
> "9.9.9.101/24",
> ]
>
> ip_list = []
> for range in qlf_networks:
> ip_list.extend(ipaddress.IPv4Network(unicode(range)))
>
> if ipaddress.IPv4Address(unicode(request.client)) in ip_list:
> # if the client address is in the local address list, then do
> NOT require MFA so set to False
> return_value = False
>
> # build the MFA Required group members
> # if return_value:
> # print(datetime.datetime.now())
> # ag = db(db.auth_group.role == "MFA Required
> (web2py)").select().first()
> # if not ag:
> # ag = db.auth_group.insert("MFA Required (web2py)")
> # for ou in db(
> # (db.auth_user.active == True)
> # | (
> # (db.auth_user.mfa_override == None)
> # & (db.auth_user.mfa_override <=
> datetime.datetime.now())
> # )
> # ).select():
> # db.auth_membership.update_or_insert(user_id=ou.id,
> group_id=ag)
> #
> # # clear out any members that are currently exempt from MFA
> # if ag:
> # for exempt_user in db(
> # (db.auth_user.mfa_override >=
> datetime.datetime.now())
> # & (db.auth_user.active == True)
> # ).select():
> # db(
> # (db.auth_membership.group_id == ag.id)
> # & (db.auth_membership.user_id == exempt_user.id)
> # ).delete()
> # db.commit()
> #
> # print(datetime.datetime.now())
> #
> # # set to False to force web2py to check the
> two_factor_authentication group
> # return_value = False
>
> That code is in db.py
>
> Then....
>
> auth.settings.auth_two_factor_enabled = lambda user:
> _two_factor_required(user)
> auth.messages.two_factor_comment = "QLF MFA - you have been sent a code"
> auth.settings.two_factor_methods = [
> lambda user, auth_two_factor: _send_sms(user, auth_two_factor)
> ]
>
> My _send_sms code built and sms and sent it via Twilio or RingCentral
>
> I wrote this code, but then we ended up not implementing. The web2py code
> is going away for us. All the same concepts work in py4web (nudge wink
> wink)
>
> -Jim
>
>
>
> On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote:
>
>> Anyone can help me ?
>>
>> Em qua., 30 de ago. de 2023 às 10:14, António Ramos <ramst...@gmail.com>
>> escreveu:
>>
>>> in other words, how do i protect the administrator password? it does not
>>> have a username , just a password. This is scary :)
>>>
>>>
>>> Em ter., 29 de ago. de 2023 às 19:44, António Ramos <ramst...@gmail.com>
>>> escreveu:
>>>
>>>> But that is for everyone, i just want to start with users with admin
>>>> powers
>>>>
>>>> Clemens <clemens....@claret-clover.de> escreveu em ter., 29/08/2023 às
>>>> 18:25 :
>>>>
>>>>> Try enabling 2FA via the following setting, since this is for all
>>>>> users:
>>>>> *auth.settings.auth_two_factor_enabled = True*
>>>>>
>>>>> Regards
>>>>> Clemens
>>>>>
>>>>> On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote:
>>>>>
>>>>>> i just activated the two step auth with this
>>>>>>
>>>>>> auth.settings.two_factor_authentication_group = "auth2step"
>>>>>>
>>>>>>
>>>>>> but now how do i include the administrator user ?
>>>>>>
>>>>>> regards
>>>>>> António
>>>>>>
>>>>> --
>>>>> Resources:
>>>>> - http://web2py.com
>>>>> - http://web2py.com/book (Documentation)
>>>>> - http://github.com/web2py/web2py (Source code)
>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "web2py-users" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to web2py+un...@googlegroups.com.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com
>>>>> <https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to web2py+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com
> <https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/web2py/CAEM0BxO0M6EaJ%2B_%2BPDL6%2Bj1jud21OSp6JikWD%3DV0e401T%2BddgA%40mail.gmail.com.
