feat: Implement TOTP-based Two-Factor Authentication

- Add django-otp and qrcode dependencies - Create comprehensive 2FA views and templates in German - Add 2FA setup, verification, and management interfaces - Implement backup token system with 10 recovery codes - Add TwoFactorMiddleware for session enforcement - Integrate 2FA controls into user navigation menu - Support QR code generation for authenticator apps - Add forms for secure 2FA operations with validation - Configure OTP settings and admin site integration Features: - Optional 2FA (users can enable/disable) - TOTP compatible with Google Authenticator, Authy, etc. - Backup codes for emergency access - German language interface - Session-based 2FA enforcement - Password confirmation for sensitive operations - Production-ready with HTTPS support
2025-09-30 00:10:02 +02:00
parent 92b689f5e7
commit ed6a02232e
29 changed files with 41444 additions and 1 deletions
--- a/app/core/settings.py
+++ b/app/core/settings.py
@@ -34,6 +34,9 @@ INSTALLED_APPS = [
    "django.contrib.staticfiles",
    "django.contrib.humanize",
    "rest_framework",
+    "django_otp",
+    "django_otp.plugins.otp_totp",
+    "django_otp.plugins.otp_static",
    "stiftung",
 ]
 # Add this to app/core/settings.py
@@ -46,6 +49,8 @@ MIDDLEWARE = [
    "django.middleware.common.CommonMiddleware",
    "django.middleware.csrf.CsrfViewMiddleware",
    "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "django_otp.middleware.OTPMiddleware",
+    "stiftung.middleware.TwoFactorMiddleware",  # 2FA enforcement middleware
    "django.contrib.messages.middleware.MessageMiddleware",
    "django.middleware.clickjacking.XFrameOptionsMiddleware",
    "stiftung.middleware.AuditMiddleware",  # Audit logging middleware
@@ -134,3 +139,14 @@ if not DEBUG:
    SECURE_HSTS_SECONDS = 31536000  # 1 year
    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
    SECURE_HSTS_PRELOAD = True
+
+# =============================================================================
+# TWO-FACTOR AUTHENTICATION SETTINGS
+# =============================================================================
+
+# django-otp settings
+OTP_TOTP_ISSUER = 'Stiftung Management System'
+OTP_LOGIN_URL = '/two-factor/login/'
+
+# Optional: Hide sensitive data in admin when not verified
+OTP_ADMIN_HIDE_SENSITIVE_DATA = True
--- a/app/core/urls.py
+++ b/app/core/urls.py
@@ -16,6 +16,7 @@ urlpatterns = [
        name="login",
    ),
    path("logout/", auth_views.LogoutView.as_view(), name="logout"),
+
 ]

 if settings.DEBUG: