Two Factor Authentication for Django using the Web Authentication API.
Project description
django-webauth
Multi-Factor Authentication (MFA, 2FA) for Django using the Web Authentication API.
Security Disclaimer
This alpha stage software is not production ready and requires further hardening before it can be safely deployed into the wild.
Quick Start
-
Install
django-webauth
using pip$ pip install django-webauth
-
Add
webauth
to INSTALLED_APPS# settings.py INSTALLED_APPS = [ ... "webauth", ]
-
Add django-webauth URLs
# urls.py urlpatterns = [ ... path("webauth/", include("webauth.urls")), ]
-
Add Web Authentication protection to your views. How you do this depends on whether you're protecting function views or class based views:
-
To protect view functions:
Add the
@webauth_required
decorator to disallow users that have not authenticated with webauth.# views.py from webauth.decorators import webauth_required @webauth_required def private_view(request): ...
-
To protect class based views:
Add
WebAuthRequiredMixin
to the inheritance list on your view classes.# views.py from webauth.mixins import WebAuthRequiredMixin class YourClassBasedView(WebAuthRequiredMixin, View): ...
-
-
Set some required
django-webauth
settings# settings.py WEBAUTH_RP_ID = "localhost" WEBAUTH_RP_NAME = "Example Site" WEBAUTH_ORIGIN = "http://localhost:8000" WEBAUTH_VERIFY_URL = "/webauth/verify/"
-
Run migrations to create the table for storing authenticator data
$ python manage.py migrate
-
Run your Django app and register a new security key at http://localhost:8000/webauth/register/
-
Navigate to a view you protected in step 4.
django-webauth
will redirect you to a page that will attempt to authenticate using your newly created key. If successful, you will be redirected to the protected view.
Customizing the built-in templates
django-webauth
includes templates out of the box to get you up and running.
The templates extend webauth/base.html
, which you will likely want to replace
with your own base template.
Replace the built-in base template simply by creating a new webauth/base.html
in your app's templates
folder. See How to override templates
from the Django documentation for more info.
You are also welcome, and encouraged, to replace the other included templates with your own using the same method.
Configuration settings
WEBAUTH_RP_ID
: the hostname (minus scheme and port) of the server
running your Django app
WEBAUTH_RP_NAME
: human readable name of your server intended only
for display
WEBAUTH_ORIGIN
: used for verifying assertions. Only authentication
ceremonies occurring in this origin will validate
WEBAUTH_VERIFY_URL
: Users not authenticated with django-webauth
will
redirect users here when they request a protected view. This "login" page
completes the multi-factor authentication flow.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django_webauth-0.1.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 990c9e738218356b66f5d0624cb319ac55673a4856d8d683ab1983dc55c5847d |
|
MD5 | f7735cd445b5b62d948c5df32c7d4e71 |
|
BLAKE2b-256 | 4e024cc2f19492ea08120cf98dc079044d8d4d54f68b2a777d03cf9d2c1a1f92 |