Hello Jim this line of code *auth.settings.auth_two_factor_enabled = True* *does not protect the administrator password. Only created users.* *That is my question, how to force administrator to use 2fa ?* *regards* *António*
Em sex., 1 de set. de 2023 às 15:00, Jim S <ato.st...@gmail.com> escreveu: > Here is the code I wrote that only enforced 2fa for users outside our > local networks. > > There is some commented out code there that additionally allowed me to > specify users in a group so only that group was force to 2fa > > def _two_factor_required(auth_user): > """ > check whether we need to enforce MFA on this login > > We enforce MFA only on logins external to our network. > > Returns > ------- > bool - enforce MFA > - True means this login requires MFA > - False means we will not enforce MFA for this login > """ > import ipaddress > > return False # temp use to disable mfa > > if len(request.args) > 0 and request.args[0] == "login": > if auth_user.mfa_override and datetime.datetime.now() <= > auth_user.mfa_override: > # no mfa required if the user override is set - we added a > field in auth_user to allow us to override if a user was having trouble or > lost their phone or something > return False > > qlf_networks = [ > "9.9.9.9/22", > "9.9.9.0/24", > "9.9.9.101/24", > ] > > ip_list = [] > for range in qlf_networks: > ip_list.extend(ipaddress.IPv4Network(unicode(range))) > > if ipaddress.IPv4Address(unicode(request.client)) in ip_list: > # if the client address is in the local address list, then do > NOT require MFA so set to False > return_value = False > > # build the MFA Required group members > # if return_value: > # print(datetime.datetime.now()) > # ag = db(db.auth_group.role == "MFA Required > (web2py)").select().first() > # if not ag: > # ag = db.auth_group.insert("MFA Required (web2py)") > # for ou in db( > # (db.auth_user.active == True) > # | ( > # (db.auth_user.mfa_override == None) > # & (db.auth_user.mfa_override <= > datetime.datetime.now()) > # ) > # ).select(): > # db.auth_membership.update_or_insert(user_id=ou.id, > group_id=ag) > # > # # clear out any members that are currently exempt from MFA > # if ag: > # for exempt_user in db( > # (db.auth_user.mfa_override >= > datetime.datetime.now()) > # & (db.auth_user.active == True) > # ).select(): > # db( > # (db.auth_membership.group_id == ag.id) > # & (db.auth_membership.user_id == exempt_user.id) > # ).delete() > # db.commit() > # > # print(datetime.datetime.now()) > # > # # set to False to force web2py to check the > two_factor_authentication group > # return_value = False > > That code is in db.py > > Then.... > > auth.settings.auth_two_factor_enabled = lambda user: > _two_factor_required(user) > auth.messages.two_factor_comment = "QLF MFA - you have been sent a code" > auth.settings.two_factor_methods = [ > lambda user, auth_two_factor: _send_sms(user, auth_two_factor) > ] > > My _send_sms code built and sms and sent it via Twilio or RingCentral > > I wrote this code, but then we ended up not implementing. The web2py code > is going away for us. All the same concepts work in py4web (nudge wink > wink) > > -Jim > > > > On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote: > >> Anyone can help me ? >> >> Em qua., 30 de ago. de 2023 às 10:14, António Ramos <ramst...@gmail.com> >> escreveu: >> >>> in other words, how do i protect the administrator password? it does not >>> have a username , just a password. This is scary :) >>> >>> >>> Em ter., 29 de ago. de 2023 às 19:44, António Ramos <ramst...@gmail.com> >>> escreveu: >>> >>>> But that is for everyone, i just want to start with users with admin >>>> powers >>>> >>>> Clemens <clemens....@claret-clover.de> escreveu em ter., 29/08/2023 às >>>> 18:25 : >>>> >>>>> Try enabling 2FA via the following setting, since this is for all >>>>> users: >>>>> *auth.settings.auth_two_factor_enabled = True* >>>>> >>>>> Regards >>>>> Clemens >>>>> >>>>> On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote: >>>>> >>>>>> i just activated the two step auth with this >>>>>> >>>>>> auth.settings.two_factor_authentication_group = "auth2step" >>>>>> >>>>>> >>>>>> but now how do i include the administrator user ? >>>>>> >>>>>> regards >>>>>> António >>>>>> >>>>> -- >>>>> Resources: >>>>> - http://web2py.com >>>>> - http://web2py.com/book (Documentation) >>>>> - http://github.com/web2py/web2py (Source code) >>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "web2py-users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to web2py+un...@googlegroups.com. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to web2py+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com > <https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/CAEM0BxO0M6EaJ%2B_%2BPDL6%2Bj1jud21OSp6JikWD%3DV0e401T%2BddgA%40mail.gmail.com.