| Name | wagtail-mfa JSON |
| Version |
0.1.0
JSON |
| download |
| home_page | None |
| Summary | Secure your Wagtail site with multi-factor authentication. Supports TOTP and WebAuthn/Passkeys. |
| upload_time | 2024-06-13 13:23:37 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | >=3.9 |
| license | None |
| keywords |
2fa
mfa
passkeys
security
totp
wagtail
webauthn
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# Wagtail MFA
Wagtail MFA is a multi-factor authentication package for Wagtail. It adds an extra layer of security to your Wagtail admin interface.
Under the hood, Wagtail MFA uses [django-otp](https://github.com/django-otp/django-otp/) and [django-otp-webauthn](https://github.com/Stormbase/django-otp-webauthn) to provide the Passkey login functionality. All this package does is provide a Wagtail-specific UI to let users manage their MFA settings and a page for MFA verification.
> [!IMPORTANT]
> This package is alpha and not yet feature-complete. It hasn't been thoroughly tested and documented yet. If you are interested in using this package, please star this repository to show your interest. Eventually, I intend to
## Screenshots
<table>
<tbody>
<th>Safari autofill prompt for saved Passkey</th>
<th>Login with fingerprint</th>
<th>Registered Passkeys</th>
<tr>
<td>
<a href="https://github.com/Stormbase/wagtail-mfa/blob/main/docs/images/wagtail-login-autofill-prompt.png" target="_blank">
<img src="https://github.com/Stormbase/wagtail-mfa/blob/main/docs/images/wagtail-login-autofill-prompt.png" alt="Wagtail login page showing a browser prompt to login to this site using saved Passkey">
</a>
</td>
<td>
<a href="https://github.com/Stormbase/wagtail-mfa/blob/main/docs/images/wagtail-login-touchid-prompt.png" target="_blank">
<img src="https://github.com/Stormbase/wagtail-mfa/blob/main/docs/images/wagtail-login-touchid-prompt.png" alt="Wagtail login page showing a browser prompt asking for a fingerprint scan">
</a>
</td>
<td>
<a href="https://github.com/Stormbase/wagtail-mfa/blob/main/docs/images/wagtail-user-passkeys-listing.png" target="_blank">
<img src="https://github.com/Stormbase/wagtail-mfa/blob/main/docs/images/wagtail-user-passkeys-listing.png" alt="Wagtail account settings page showing a list of registered Passkeys">
</a>
</td>
</tr>
</tbody>
</table>
## Features
Supported authentication methods:
- Passkeys (passwordless login supported)
**Coming soon:**
- Time-based one-time passwords (TOTP)
- Recovery codes
## Supported browsers
Passkeys are still a relatively new technology, and not all browsers support them reliably. The following browsers have been tested and are known to work with Passkeys:
- Chrome 125 on macOS 14
- Firefox 126 on macOS 14 (with known issues, see [Known limitations](#known-limitations)
- Safari 17 on macOS 14
[^1]: There is a known issue with logging in without a password, see [Known limitations](#known-limitations) for more information.
## Requirements
- Python >= 3.9
- Django >= 4.2
- Wagtail >= 5.2
## Installation
Install the package using pip:
```console
pip install wagtail-mfa
```
Add all required apps to your `INSTALLED_APPS`:
```python
# settings.py
INSTALLED_APPS = [
...
# Wagtail MFA must appear before wagtail because it overrides the default Wagtail login template
"wagtail_mfa",
...
# django-otp and django-otp-webauthn are required
"django_otp",
"django_otp_webauthn",
...
]
```
For Passkeys to work properly, you need to set some additional `django_otp_webauthn` settings.
Adapt and add the following code snippet to your `settings.py`:
```python
# settings.py
OTP_WEBAUTHN_RP_ID = "your-domain.com"
OTP_WEBAUTHN_RP_NAME = WAGTAIL_SITE_NAME
OTP_WEBAUTHN_ALLOWED_ORIGINS = ["https://your-domain.com", "https://subdomain.your-domain.com"]
```
## Configuration
### `OTP_WEBAUTHN_RP_ID`
_example: `your-domain.com`_
This setting is the primary domain of your site. Passkeys are bound to this domain. This cannot be a 'public suffix' domain like `your-app.compute.amazonaws.com` or `your-app.herokuapp.com`. It must be a domain you own. Browsers will refuse to create Passkeys for public suffix domains. For a complete list of public suffix domains, see [publicsuffix.org](https://publicsuffix.org/list/public_suffix_list.dat).
### `OTP_WEBAUTHN_RP_NAME`
_example: `My Cool Wagtail Site`_
Some browsers show this name when registering a Passkey. This can be the name of your site or your company.
### `OTP_WEBAUTHN_ALLOWED_ORIGINS`
_example: `["https://your-domain.com", "https://subdomain.your-domain.com"]`_
This setting is similar to Django's [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/dev/ref/settings/#std-setting-CSRF_TRUSTED_ORIGINS) setting and is used to verify Passkey registration/authentication requests. It must be a `https://` (sub)domain of the `OTP_WEBAUTHN_RP_ID`. Do not include a trailing slash.
## Known issues
- **Issues on Firefox**. When using Firefox to register and store a Passkey on an Android device, the Passkey will not be available to use for passwordless login. This is because Firefox does not create a `discoverable credential`. This appears to be a limitation of Firefox. This issue was observed on Firefox 126 on macOS 14.
- **Multi-site has limited support.** WebAuthn does not currently support using Passkeys across different domains. If you create a Passkey for `your-site.com`, you cannot use it to authenticate on `another-site.com`. Subdomains like `subdomain.your-site.com` are supported however.
## Development
See [DEVELOPMENT.md](DEVELOPMENT.md) for information on how to develop and contribute to this project.
## License
This project is licensed under the BSD 3-Clause License. See the [LICENSE](LICENSE) file for details.
Raw data
{
"_id": null,
"home_page": null,
"name": "wagtail-mfa",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": null,
"keywords": "2fa, mfa, passkeys, security, totp, wagtail, webauthn",
"author": null,
"author_email": "\"Storm B. Heg\" <storm@stormbase.digital>",
"download_url": "https://files.pythonhosted.org/packages/15/12/349ac46fbcd5cf8b58dbde5eb6d4d914e998bba87276f042f9cd3c942ced/wagtail_mfa-0.1.0.tar.gz",
"platform": null,
"description": "# Wagtail MFA\n\nWagtail MFA is a multi-factor authentication package for Wagtail. It adds an extra layer of security to your Wagtail admin interface.\n\nUnder the hood, Wagtail MFA uses [django-otp](https://github.com/django-otp/django-otp/) and [django-otp-webauthn](https://github.com/Stormbase/django-otp-webauthn) to provide the Passkey login functionality. All this package does is provide a Wagtail-specific UI to let users manage their MFA settings and a page for MFA verification.\n\n> [!IMPORTANT] \n> This package is alpha and not yet feature-complete. It hasn't been thoroughly tested and documented yet. If you are interested in using this package, please star this repository to show your interest. Eventually, I intend to\n\n## Screenshots\n\n<table>\n <tbody>\n <th>Safari autofill prompt for saved Passkey</th>\n <th>Login with fingerprint</th>\n <th>Registered Passkeys</th>\n <tr>\n <td>\n <a href=\"https://github.com/Stormbase/wagtail-mfa/blob/main/docs/images/wagtail-login-autofill-prompt.png\" target=\"_blank\">\n <img src=\"https://github.com/Stormbase/wagtail-mfa/blob/main/docs/images/wagtail-login-autofill-prompt.png\" alt=\"Wagtail login page showing a browser prompt to login to this site using saved Passkey\">\n </a>\n </td>\n <td>\n <a href=\"https://github.com/Stormbase/wagtail-mfa/blob/main/docs/images/wagtail-login-touchid-prompt.png\" target=\"_blank\">\n <img src=\"https://github.com/Stormbase/wagtail-mfa/blob/main/docs/images/wagtail-login-touchid-prompt.png\" alt=\"Wagtail login page showing a browser prompt asking for a fingerprint scan\">\n </a>\n </td>\n <td>\n <a href=\"https://github.com/Stormbase/wagtail-mfa/blob/main/docs/images/wagtail-user-passkeys-listing.png\" target=\"_blank\">\n <img src=\"https://github.com/Stormbase/wagtail-mfa/blob/main/docs/images/wagtail-user-passkeys-listing.png\" alt=\"Wagtail account settings page showing a list of registered Passkeys\">\n </a>\n </td>\n </tr>\n </tbody>\n</table>\n\n## Features\n\nSupported authentication methods:\n\n- Passkeys (passwordless login supported)\n\n**Coming soon:**\n\n- Time-based one-time passwords (TOTP)\n- Recovery codes\n\n## Supported browsers\n\nPasskeys are still a relatively new technology, and not all browsers support them reliably. The following browsers have been tested and are known to work with Passkeys:\n\n- Chrome 125 on macOS 14\n- Firefox 126 on macOS 14 (with known issues, see [Known limitations](#known-limitations)\n- Safari 17 on macOS 14\n\n[^1]: There is a known issue with logging in without a password, see [Known limitations](#known-limitations) for more information.\n\n## Requirements\n\n- Python >= 3.9\n- Django >= 4.2\n- Wagtail >= 5.2\n\n## Installation\n\nInstall the package using pip:\n\n```console\npip install wagtail-mfa\n```\n\nAdd all required apps to your `INSTALLED_APPS`:\n\n```python\n# settings.py\n\nINSTALLED_APPS = [\n ...\n # Wagtail MFA must appear before wagtail because it overrides the default Wagtail login template\n \"wagtail_mfa\",\n ...\n # django-otp and django-otp-webauthn are required\n \"django_otp\",\n \"django_otp_webauthn\",\n ...\n]\n```\n\nFor Passkeys to work properly, you need to set some additional `django_otp_webauthn` settings.\n\nAdapt and add the following code snippet to your `settings.py`:\n\n```python\n# settings.py\nOTP_WEBAUTHN_RP_ID = \"your-domain.com\"\nOTP_WEBAUTHN_RP_NAME = WAGTAIL_SITE_NAME\nOTP_WEBAUTHN_ALLOWED_ORIGINS = [\"https://your-domain.com\", \"https://subdomain.your-domain.com\"]\n```\n\n## Configuration\n\n### `OTP_WEBAUTHN_RP_ID`\n\n_example: `your-domain.com`_\n\nThis setting is the primary domain of your site. Passkeys are bound to this domain. This cannot be a 'public suffix' domain like `your-app.compute.amazonaws.com` or `your-app.herokuapp.com`. It must be a domain you own. Browsers will refuse to create Passkeys for public suffix domains. For a complete list of public suffix domains, see [publicsuffix.org](https://publicsuffix.org/list/public_suffix_list.dat).\n\n### `OTP_WEBAUTHN_RP_NAME`\n\n_example: `My Cool Wagtail Site`_\n\nSome browsers show this name when registering a Passkey. This can be the name of your site or your company.\n\n### `OTP_WEBAUTHN_ALLOWED_ORIGINS`\n\n_example: `[\"https://your-domain.com\", \"https://subdomain.your-domain.com\"]`_\n\nThis setting is similar to Django's [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/dev/ref/settings/#std-setting-CSRF_TRUSTED_ORIGINS) setting and is used to verify Passkey registration/authentication requests. It must be a `https://` (sub)domain of the `OTP_WEBAUTHN_RP_ID`. Do not include a trailing slash.\n\n## Known issues\n\n- **Issues on Firefox**. When using Firefox to register and store a Passkey on an Android device, the Passkey will not be available to use for passwordless login. This is because Firefox does not create a `discoverable credential`. This appears to be a limitation of Firefox. This issue was observed on Firefox 126 on macOS 14.\n- **Multi-site has limited support.** WebAuthn does not currently support using Passkeys across different domains. If you create a Passkey for `your-site.com`, you cannot use it to authenticate on `another-site.com`. Subdomains like `subdomain.your-site.com` are supported however.\n\n## Development\n\nSee [DEVELOPMENT.md](DEVELOPMENT.md) for information on how to develop and contribute to this project.\n\n## License\n\nThis project is licensed under the BSD 3-Clause License. See the [LICENSE](LICENSE) file for details.\n",
"bugtrack_url": null,
"license": null,
"summary": "Secure your Wagtail site with multi-factor authentication. Supports TOTP and WebAuthn/Passkeys.",
"version": "0.1.0",
"project_urls": {
"Changelog": "https://github.com/Stormbase/wagtail-mfa/blob/main/CHANGELOG.md",
"Issues": "https://github.com/Stormbase/wagtail-mfa/issues",
"Source": "https://github.com/Stormbase/wagtail-mfa"
},
"split_keywords": [
"2fa",
" mfa",
" passkeys",
" security",
" totp",
" wagtail",
" webauthn"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "a7cfee70583fb8706ed4f7bf426598ee4ded6f6c8037c0f524cad2d170cd88e1",
"md5": "c7b26134a0144c7c4c8541283842a037",
"sha256": "f2fc74701d2d6fc191c19cbb54218aaa40e3a2dfd25fd670950c787d82999857"
},
"downloads": -1,
"filename": "wagtail_mfa-0.1.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "c7b26134a0144c7c4c8541283842a037",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 26101,
"upload_time": "2024-06-13T13:23:32",
"upload_time_iso_8601": "2024-06-13T13:23:32.141293Z",
"url": "https://files.pythonhosted.org/packages/a7/cf/ee70583fb8706ed4f7bf426598ee4ded6f6c8037c0f524cad2d170cd88e1/wagtail_mfa-0.1.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "1512349ac46fbcd5cf8b58dbde5eb6d4d914e998bba87276f042f9cd3c942ced",
"md5": "e4d022253ca4fb46b6d584a4ac87b0be",
"sha256": "4a8c6c9356c30902cc9e09258a322d1e22ed3cf446fbbe1f3d732861a1c83b25"
},
"downloads": -1,
"filename": "wagtail_mfa-0.1.0.tar.gz",
"has_sig": false,
"md5_digest": "e4d022253ca4fb46b6d584a4ac87b0be",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 2401900,
"upload_time": "2024-06-13T13:23:37",
"upload_time_iso_8601": "2024-06-13T13:23:37.095954Z",
"url": "https://files.pythonhosted.org/packages/15/12/349ac46fbcd5cf8b58dbde5eb6d4d914e998bba87276f042f9cd3c942ced/wagtail_mfa-0.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-06-13 13:23:37",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "Stormbase",
"github_project": "wagtail-mfa",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "wagtail-mfa"
}
