mirror of
https://github.com/bookwyrm-social/bookwyrm.git
synced 2024-12-22 08:07:14 +00:00
Merge pull request #2657 from chris-y/totp-window
Expand TOTP validity window This changes the default window to allow 2 codes (60 seconds) on either side. Admins can change this by setting a different `TWO_FACTOR_LOGIN_VALIDITY_WINDOW` value in `.env`
This commit is contained in:
commit
66ce298001
3 changed files with 10 additions and 2 deletions
|
@ -121,6 +121,12 @@ OTEL_SERVICE_NAME=
|
||||||
# https://docs.djangoproject.com/en/3.2/ref/settings/#secure-proxy-ssl-header
|
# https://docs.djangoproject.com/en/3.2/ref/settings/#secure-proxy-ssl-header
|
||||||
HTTP_X_FORWARDED_PROTO=false
|
HTTP_X_FORWARDED_PROTO=false
|
||||||
|
|
||||||
|
# TOTP settings
|
||||||
|
# TWO_FACTOR_LOGIN_VALIDITY_WINDOW sets the number of codes either side
|
||||||
|
# which will be accepted.
|
||||||
|
TWO_FACTOR_LOGIN_VALIDITY_WINDOW=2
|
||||||
|
TWO_FACTOR_LOGIN_MAX_SECONDS=60
|
||||||
|
|
||||||
# Additional hosts to allow in the Content-Security-Policy, "self" (should be DOMAIN)
|
# Additional hosts to allow in the Content-Security-Policy, "self" (should be DOMAIN)
|
||||||
# and AWS_S3_CUSTOM_DOMAIN (if used) are added by default.
|
# and AWS_S3_CUSTOM_DOMAIN (if used) are added by default.
|
||||||
# Value should be a comma-separated list of host names.
|
# Value should be a comma-separated list of host names.
|
||||||
|
|
|
@ -8,6 +8,7 @@ import pyotp
|
||||||
|
|
||||||
from bookwyrm import models
|
from bookwyrm import models
|
||||||
from bookwyrm.settings import DOMAIN
|
from bookwyrm.settings import DOMAIN
|
||||||
|
from bookwyrm.settings import TWO_FACTOR_LOGIN_VALIDITY_WINDOW
|
||||||
from .custom_form import CustomForm
|
from .custom_form import CustomForm
|
||||||
|
|
||||||
|
|
||||||
|
@ -108,7 +109,7 @@ class Confirm2FAForm(CustomForm):
|
||||||
otp = self.data.get("otp")
|
otp = self.data.get("otp")
|
||||||
totp = pyotp.TOTP(self.instance.otp_secret)
|
totp = pyotp.TOTP(self.instance.otp_secret)
|
||||||
|
|
||||||
if not totp.verify(otp):
|
if not totp.verify(otp, valid_window=TWO_FACTOR_LOGIN_VALIDITY_WINDOW):
|
||||||
|
|
||||||
if self.instance.hotp_secret:
|
if self.instance.hotp_secret:
|
||||||
# maybe it's a backup code?
|
# maybe it's a backup code?
|
||||||
|
|
|
@ -378,7 +378,8 @@ OTEL_EXPORTER_OTLP_ENDPOINT = env("OTEL_EXPORTER_OTLP_ENDPOINT", None)
|
||||||
OTEL_EXPORTER_OTLP_HEADERS = env("OTEL_EXPORTER_OTLP_HEADERS", None)
|
OTEL_EXPORTER_OTLP_HEADERS = env("OTEL_EXPORTER_OTLP_HEADERS", None)
|
||||||
OTEL_SERVICE_NAME = env("OTEL_SERVICE_NAME", None)
|
OTEL_SERVICE_NAME = env("OTEL_SERVICE_NAME", None)
|
||||||
|
|
||||||
TWO_FACTOR_LOGIN_MAX_SECONDS = 60
|
TWO_FACTOR_LOGIN_MAX_SECONDS = env.int("TWO_FACTOR_LOGIN_MAX_SECONDS", 60)
|
||||||
|
TWO_FACTOR_LOGIN_VALIDITY_WINDOW = env.int("TWO_FACTOR_LOGIN_VALIDITY_WINDOW", 2)
|
||||||
|
|
||||||
HTTP_X_FORWARDED_PROTO = env.bool("SECURE_PROXY_SSL_HEADER", False)
|
HTTP_X_FORWARDED_PROTO = env.bool("SECURE_PROXY_SSL_HEADER", False)
|
||||||
if HTTP_X_FORWARDED_PROTO:
|
if HTTP_X_FORWARDED_PROTO:
|
||||||
|
|
Loading…
Reference in a new issue