feat: Implement TOTP-based Two-Factor Authentication

- Add django-otp and qrcode dependencies - Create comprehensive 2FA views and templates in German - Add 2FA setup, verification, and management interfaces - Implement backup token system with 10 recovery codes - Add TwoFactorMiddleware for session enforcement - Integrate 2FA controls into user navigation menu - Support QR code generation for authenticator apps - Add forms for secure 2FA operations with validation - Configure OTP settings and admin site integration Features: - Optional 2FA (users can enable/disable) - TOTP compatible with Google Authenticator, Authy, etc. - Backup codes for emergency access - German language interface - Session-based 2FA enforcement - Password confirmation for sensitive operations - Production-ready with HTTPS support
2025-09-30 00:10:02 +02:00
parent 92b689f5e7
commit ed6a02232e
29 changed files with 41444 additions and 1 deletions
--- a/app/stiftung/forms.py
+++ b/app/stiftung/forms.py
@@ -1476,3 +1476,84 @@ class VierteljahresNachweisForm(forms.ModelForm):
                )
        
        return cleaned_data
+
+
+# Two-Factor Authentication Forms
+
+class TwoFactorSetupForm(forms.Form):
+    """Form for setting up 2FA with TOTP verification"""
+    token = forms.CharField(
+        max_length=6,
+        min_length=6,
+        widget=forms.TextInput(attrs={
+            'class': 'form-control text-center',
+            'placeholder': '000000',
+            'autocomplete': 'off',
+            'pattern': '[0-9]{6}',
+            'inputmode': 'numeric'
+        }),
+        label='Bestätigungscode',
+        help_text='6-stelliger Code aus Ihrer Authenticator-App'
+    )
+
+    def clean_token(self):
+        token = self.cleaned_data.get('token')
+        if token and not token.isdigit():
+            raise ValidationError('Der Code darf nur Zahlen enthalten.')
+        return token
+
+
+class TwoFactorVerifyForm(forms.Form):
+    """Form for verifying 2FA during login"""
+    otp_token = forms.CharField(
+        max_length=8,
+        min_length=6,
+        widget=forms.TextInput(attrs={
+            'class': 'form-control form-control-lg text-center',
+            'placeholder': '000000',
+            'autocomplete': 'off',
+            'autofocus': True
+        }),
+        label='Authentifizierungscode',
+        help_text='6-stelliger Code aus der App oder 8-stelliger Backup-Code'
+    )
+
+    def clean_otp_token(self):
+        token = self.cleaned_data.get('otp_token')
+        if token:
+            token = token.strip().lower()
+            # Allow 6-digit TOTP codes or 8-character backup codes
+            if len(token) == 6 and token.isdigit():
+                return token
+            elif len(token) == 8 and re.match(r'^[a-f0-9]{8}$', token):
+                return token
+            else:
+                raise ValidationError(
+                    'Bitte geben Sie einen 6-stelligen Authenticator-Code oder 8-stelligen Backup-Code ein.'
+                )
+        return token
+
+
+class TwoFactorDisableForm(forms.Form):
+    """Form for disabling 2FA with password confirmation"""
+    password = forms.CharField(
+        widget=forms.PasswordInput(attrs={
+            'class': 'form-control',
+            'autocomplete': 'current-password',
+            'autofocus': True
+        }),
+        label='Passwort',
+        help_text='Geben Sie Ihr aktuelles Passwort zur Bestätigung ein'
+    )
+
+
+class BackupTokenRegenerateForm(forms.Form):
+    """Form for regenerating backup tokens"""
+    password = forms.CharField(
+        widget=forms.PasswordInput(attrs={
+            'class': 'form-control',
+            'autocomplete': 'current-password'
+        }),
+        label='Passwort',
+        help_text='Geben Sie Ihr Passwort ein, um neue Backup-Codes zu generieren'
+    )