Feature/189 install maykin 2fa

src/openklant/accounts/tests/factories.py

@@ -1,4 +1,14 @@
 import factory
+from django_otp.plugins.otp_static.models import StaticDevice, StaticToken
+from django_otp.util import random_hex
+
+
+class TOTPDeviceFactory(factory.django.DjangoModelFactory):
+    user = factory.SubFactory("nrc.accounts.tests.factories.UserFactory")
+    key = factory.LazyAttribute(lambda o: random_hex())
+
+    class Meta:
+        model = "otp_totp.TOTPDevice"
 
 
 class UserFactory(factory.django.DjangoModelFactory):
@@ -8,7 +18,32 @@ class UserFactory(factory.django.DjangoModelFactory):
     class Meta:
         model = "accounts.User"
 
+    class Params:
+        with_totp_device = factory.Trait(
+            device=factory.RelatedFactory(
+                TOTPDeviceFactory,
+                "user",
+                name="default",
+            )
+        )
+
 
 class SuperUserFactory(UserFactory):
     is_staff = True
     is_superuser = True
+
+
+class RecoveryDeviceFactory(factory.django.DjangoModelFactory):
+    user = factory.SubFactory("nrc.accounts.tests.factories.UserFactory")
+    name = "backup"
+
+    class Meta:
+        model = StaticDevice
+
+
+class RecoveryTokenFactory(factory.django.DjangoModelFactory):
+    device = factory.SubFactory(RecoveryDeviceFactory)
+    token = factory.LazyFunction(StaticToken.random_token)
+
+    class Meta:
+        model = StaticToken

src/openklant/accounts/tests/test_admin.py

@@ -0,0 +1,45 @@
+from django.test import override_settings, tag
+from django.urls import reverse, reverse_lazy
+from django.utils.translation import gettext
+
+from django_webtest import WebTest
+
+from openklant.accounts.tests.factories import RecoveryTokenFactory, SuperUserFactory
+
+LOGIN_URL = reverse_lazy("admin:login")
+
+
+@override_settings(
+    USE_OIDC_FOR_ADMIN_LOGIN=False,
+    MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS=[],  # enforce MFA
+)
+class RecoveryTokenTests(WebTest):
+    @tag("gh-4072")
+    def test_can_enter_recovery_token(self):
+        user = SuperUserFactory.create(
+            with_totp_device=True,
+            username="admin",
+            password="admin",
+        )
+        recovery_token = RecoveryTokenFactory.create(device__user=user).token
+        login_page = self.app.get(LOGIN_URL, auto_follow=True)
+
+        # log in with credentials
+        form = login_page.forms["login-form"]
+        form["auth-username"] = "admin"
+        form["auth-password"] = "admin"
+        response = form.submit()
+
+        # we should now be on the enter-your-token page
+        form = response.forms["login-form"]
+        self.assertIn("token-otp_token", form.fields)
+
+        # do not enter a token, but follow the link to use a recovery token
+        link_name = gettext("Use a recovery token")
+        recovery_page = response.click(description=link_name)
+        self.assertEqual(recovery_page.status_code, 200)
+
+        recovery_form = recovery_page.forms[0]
+        recovery_form["backup-otp_token"] = recovery_token
+        admin_index = recovery_form.submit().follow()
+        self.assertEqual(admin_index.request.path, reverse("admin:index"))

src/openklant/conf/base.py

@@ -7,8 +7,6 @@
 #
 # APPLICATIONS enabled for this project
 #
-# FIXME implement 2fa
-INSTALLED_APPS.pop(INSTALLED_APPS.index("maykin_2fa"))
 INSTALLED_APPS = INSTALLED_APPS + [
     # Project applications.
     "openklant.accounts",

src/openklant/fixtures/default_admin_index.json

@@ -99,6 +99,14 @@
             [
                 "mozilla_django_oidc_db",
                 "openidconnectconfig"
+            ],
+            [
+                "otp_totp",
+                "totpdevice"
+            ],
+            [
+                "two_factor_webauthn",
+                "webauthndevice"
             ]
         ]
     }

src/openklant/templates/maykin_2fa/login.html

@@ -0,0 +1,18 @@
+{% extends "maykin_2fa/login.html" %}
+{% load solo_tags i18n %}
+
+{% block extra_login_options %}
+    {% get_solo 'mozilla_django_oidc_db.OpenIDConnectConfig' as oidc_config %}
+    {% if oidc_config.enabled %}
+        <div class="admin-login-option">{% trans "or" %}</div>
+        <div class="admin-login-option">
+            <a href="{% url 'oidc_authentication_init' %}">{% trans "Login with organization account" %}</a>
+        </div>
+    {% endif %}
+{% endblock %}
+
+{% block extra_recovery_options %}
+<li>
+    {% trans 'Contact support to start the account recovery process' %}
+</li>
+{% endblock extra_recovery_options %}

src/openklant/urls.py

@@ -7,11 +7,12 @@
 from django.urls import include, path, re_path
 from django.views.generic.base import TemplateView
 
-from openklant.accounts.views.password_reset import PasswordResetView
+from maykin_2fa import monkeypatch_admin
+from maykin_2fa.urls import urlpatterns, webauthn_urlpatterns
 
-# from two_factor.admin import AdminSiteOTPRequired
-# from two_factor.urls import urlpatterns as tf_urls
+from openklant.accounts.views.password_reset import PasswordResetView
 
+monkeypatch_admin()
 
 handler500 = "openklant.utils.views.server_error"
 admin.site.site_header = "openklant admin"
@@ -33,6 +34,9 @@
         auth_views.PasswordResetDoneView.as_view(),
         name="password_reset_done",
     ),
+    # 2fa
+    path("admin/", include((urlpatterns, "maykin_2fa"))),
+    path("admin/", include((webauthn_urlpatterns, "two_factor"))),
     path("admin/", admin.site.urls),
     # path("admin/", include(tf_urls)),
     path(