Metadata-Version: 2.1
Name: wagtail-2fa
Version: 1.4.2
Summary: Two factor authentication for Wagtail
Home-page: https://github.com/LabD/wagtail-2fa
Author: Lab Digital
Author-email: opensource@labdigital.nl
License: MIT
Platform: UNKNOWN
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Web Environment
Classifier: Framework :: Django
Classifier: Framework :: Django :: 1.11
Classifier: Framework :: Django :: 2.2
Classifier: Framework :: Django :: 3.0
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Requires-Python: >=3.6
Requires-Dist: Django (>=1.11.28)
Requires-Dist: Wagtail (>=2.2)
Requires-Dist: django-otp (>=0.8.1)
Requires-Dist: six (>=1.14.0)
Requires-Dist: qrcode (>=6.1)
Provides-Extra: docs
Requires-Dist: sphinx (>=1.4.1) ; extra == 'docs'
Requires-Dist: sphinx-rtd-theme (>=0.4.3) ; extra == 'docs'
Provides-Extra: test
Requires-Dist: coverage (==5.0.3) ; extra == 'test'
Requires-Dist: pytest (==5.3.5) ; extra == 'test'
Requires-Dist: pytest-cov (==2.8.1) ; extra == 'test'
Requires-Dist: pytest-django (==3.8.0) ; extra == 'test'
Requires-Dist: isort (==4.3.21) ; extra == 'test'
Requires-Dist: flake8 (==3.7.9) ; extra == 'test'
Requires-Dist: flake8-blind-except (==0.1.1) ; extra == 'test'
Requires-Dist: flake8-debugger (==3.2.1) ; extra == 'test'



===========
wagtail-2fa
===========

This Django app adds two factor authentication to Wagtail. Behind the scenes
it use django-otp_ which supports Time-based One-Time Passwords (TOTP). This
allows you to use various apps like Authy, Google Authenticator, or
1Password.


.. _django-otp: https://django-otp-official.readthedocs.io


Installation
============

.. code-block:: shell

   pip install wagtail-2fa


Then add the following lines to the ``INSTALLED_APPS`` list in your Django
settings:

.. code-block:: python

    INSTALLED_APPS = [
        # ...
        'wagtail_2fa',
        'django_otp',
        'django_otp.plugins.otp_totp',
        # ...
    ]

Next add the required middleware to the ``MIDDLEWARE``. It should come
after the AuthenticationMiddleware:

.. code-block:: python

    MIDDLEWARE = [
        # .. other middleware
        # 'django.contrib.auth.middleware.AuthenticationMiddleware',

        'wagtail_2fa.middleware.VerifyUserMiddleware',

        # 'wagtail.core.middleware.SiteMiddleware',
        # .. other middleware
    ]

Migrate your database:

.. code-block:: shell

   python manage.py migrate



Settings
========

The following settings are available (Set via your Django settings):

    - ``WAGTAIL_2FA_REQUIRED`` (default ``False``): When set to True all
      staff, superuser and other users with access to the Wagtail Admin site
      are forced to login using two factor authentication.
    - ``WAGTAIL_MOUNT_PATH`` (default: ``''``): The uWSGI mount point that
      Wagtail is running at. Ex. ``/wagtail``
    - ``WAGTAIL_2FA_OTP_TOTP_NAME`` (default: ``False``): The issuer name to
      identify which site is which in your authenticator app. If not set and
      ``WAGTAIL_SITE_NAME`` is defined it uses this. sets ``OTP_TOTP_ISSUER``
      under the hood.


Making 2FA optional
===================

With the default ``VerifyUserMiddleware`` middleware, 2FA is enabled for every user.
To make 2FA optional, use the ``VerifyUserPermissionsMiddleware`` middleware instead.

To do so, use the ``VerifyUserPermissionsMiddleware`` middleware instead of the ``VerifyUserMiddleware`` in your Django settings:

.. code-block:: python

    MIDDLEWARE = [
        # ...
        # 'wagtail_2fa.middleware.VerifyUserMiddleware',
        'wagtail_2fa.middleware.VerifyUserPermissionsMiddleware',
        # ...
    ]

When this middleware is used, a checkbox is added to the group permissions
and 2FA can be enabled or disabled per group.

2FA is always enabled for superusers, regardless of the middleware used.

Sandbox
=======
First create a new virtualenv with Python 3.6.1 and activate it. Then run
the following commands:

    - make sandbox

You can then visit http://localhost:8000/admin/ and login with the following
credentials:

    - E-mail: superuser@example.com
    - Password: testing


