Secure your Wagtail site with multi-factor authentication. Supports TOTP and WebAuthn/Passkeys.
Project description
Wagtail MFA
Wagtail MFA is a multi-factor authentication package for Wagtail. It adds an extra layer of security to your Wagtail admin interface.
Under the hood, Wagtail MFA uses django-otp and django-otp-webauthn to provide the Passkey login functionality. All this package does is provide a Wagtail-specific UI to let users manage their MFA settings and a page for MFA verification.
[!IMPORTANT]
This package is alpha and not yet feature-complete. It hasn't been thoroughly tested and documented yet. If you are interested in using this package, please star this repository to show your interest. Eventually, I intend to
Screenshots
Safari autofill prompt for saved Passkey | Login with fingerprint | Registered Passkeys |
---|---|---|
Features
Supported authentication methods:
- Passkeys (passwordless login supported)
Coming soon:
- Time-based one-time passwords (TOTP)
- Recovery codes
Supported browsers
Passkeys are still a relatively new technology, and not all browsers support them reliably. The following browsers have been tested and are known to work with Passkeys:
- Chrome 125 on macOS 14
- Firefox 126 on macOS 14 (with known issues, see Known limitations
- Safari 17 on macOS 14
[^1]: There is a known issue with logging in without a password, see Known limitations for more information.
Requirements
- Python >= 3.9
- Django >= 4.2
- Wagtail >= 5.2
Installation
Install the package using pip:
pip install wagtail-mfa
Add all required apps to your INSTALLED_APPS
:
# settings.py
INSTALLED_APPS = [
...
# Wagtail MFA must appear before wagtail because it overrides the default Wagtail login template
"wagtail_mfa",
...
# django-otp and django-otp-webauthn are required
"django_otp",
"django_otp_webauthn",
...
]
For Passkeys to work properly, you need to set some additional django_otp_webauthn
settings.
Adapt and add the following code snippet to your settings.py
:
# settings.py
OTP_WEBAUTHN_RP_ID = "your-domain.com"
OTP_WEBAUTHN_RP_NAME = WAGTAIL_SITE_NAME
OTP_WEBAUTHN_ALLOWED_ORIGINS = ["https://your-domain.com", "https://subdomain.your-domain.com"]
Configuration
OTP_WEBAUTHN_RP_ID
example: your-domain.com
This setting is the primary domain of your site. Passkeys are bound to this domain. This cannot be a 'public suffix' domain like your-app.compute.amazonaws.com
or your-app.herokuapp.com
. It must be a domain you own. Browsers will refuse to create Passkeys for public suffix domains. For a complete list of public suffix domains, see publicsuffix.org.
OTP_WEBAUTHN_RP_NAME
example: My Cool Wagtail Site
Some browsers show this name when registering a Passkey. This can be the name of your site or your company.
OTP_WEBAUTHN_ALLOWED_ORIGINS
example: ["https://your-domain.com", "https://subdomain.your-domain.com"]
This setting is similar to Django's CSRF_TRUSTED_ORIGINS
setting and is used to verify Passkey registration/authentication requests. It must be a https://
(sub)domain of the OTP_WEBAUTHN_RP_ID
. Do not include a trailing slash.
Known issues
- Issues on Firefox. When using Firefox to register and store a Passkey on an Android device, the Passkey will not be available to use for passwordless login. This is because Firefox does not create a
discoverable credential
. This appears to be a limitation of Firefox. This issue was observed on Firefox 126 on macOS 14. - Multi-site has limited support. WebAuthn does not currently support using Passkeys across different domains. If you create a Passkey for
your-site.com
, you cannot use it to authenticate onanother-site.com
. Subdomains likesubdomain.your-site.com
are supported however.
Development
See DEVELOPMENT.md for information on how to develop and contribute to this project.
License
This project is licensed under the BSD 3-Clause License. See the LICENSE file for details.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for wagtail_mfa-0.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | f2fc74701d2d6fc191c19cbb54218aaa40e3a2dfd25fd670950c787d82999857 |
|
MD5 | c7b26134a0144c7c4c8541283842a037 |
|
BLAKE2b-256 | a7cfee70583fb8706ed4f7bf426598ee4ded6f6c8037c0f524cad2d170cd88e1 |