Add 2FA

numerique-gouv · Dec 7, 2023 · 9d0ebee · 9d0ebee
1 parent 162973c
commit 9d0ebee
Show file tree

Hide file tree

Showing 5 changed files with 94 additions and 2 deletions.
diff --git a/.env.example b/.env.example
@@ -4,6 +4,7 @@ HOST_PROTO=http
 HOST_URL=localhost # use 0.0.0.0 for Docker
 ALLOWED_HOSTS=localhost, 0.0.0.0
 HOST_PORT=8000
+SITE_NAME=Nom du site
 
 USE_DOCKER=0 # Set 1 to use Docker
 
@@ -19,3 +20,5 @@ S3_KEY_ID=
 S3_KEY_SECRET=
 S3_BUCKET_NAME=
 S3_BUCKET_REGION=eu-west-3
+
+WAGTAIL_2FA_REQUIRED=False
diff --git a/README.md b/README.md
@@ -87,3 +87,11 @@ Vous pouvez également générer un rapport sur la couverture de tests :
 ```sh
 coverage run manage.py test --settings config.settings_test
 ```
+
+## Configurer l’authentification à deux facteurs (2FA)
+Pour activer l’authentification à deux facteurs sur le site, il faut passer la variable `WAGTAIL_2FA_REQUIRED` à True et remplir la variable `SITE_NAME` si elle ne l’est pas déjà.
+
+```
+SITE_NAME=Nom du site
+WAGTAIL_2FA_REQUIRED=True
+```
diff --git a/config/settings.py b/config/settings.py
@@ -64,6 +64,9 @@
     "dsfr",
     "sass_processor",
     "content_manager",
+    "wagtail_2fa",
+    "django_otp",
+    "django_otp.plugins.otp_totp",
 ]
 
 if DEBUG:
@@ -77,6 +80,7 @@
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "wagtail_2fa.middleware.VerifyUserMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "wagtail.contrib.redirects.middleware.RedirectMiddleware",
@@ -195,7 +199,7 @@
 # Wagtail settings
 # https://docs.wagtail.org/en/stable/reference/settings.html
 
-WAGTAIL_SITE_NAME = "Gestionnaire de contenu avec le Système de Design de l'État"
+WAGTAIL_SITE_NAME = os.getenv("SITE_NAME", "Gestionnaire de contenu avec le Système de Design de l’État")
 
 # Base URL to use when referring to full URLs within the Wagtail admin backend -
 # e.g. in notification emails. Don't include '/admin' or a trailing slash
@@ -228,3 +232,6 @@
 CSRF_TRUSTED_ORIGINS = []
 for host in ALLOWED_HOSTS:
     CSRF_TRUSTED_ORIGINS.append("https://" + host)
+
+# 2FA, see https://wagtail-2fa.readthedocs.io/en/stable/
+WAGTAIL_2FA_REQUIRED = os.getenv("WAGTAIL_2FA_REQUIRED", False)
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -27,6 +27,7 @@ wagtailmenus = "^3.1.9"
 boto3 = "^1.29.1"
 django-storages = "^1.14.2"
 wagtail-modeladmin = "^1.0.0"
+wagtail-2fa = "^1.6.6"
 
 
 [tool.poetry.group.dev.dependencies]