Add option to disable MFA (#7757)

* Add changes from https://github.com/inventree/InvenTree/pull/7747 * disable addition of factors * rename variable
2025-10-31 13:15:43 +00:00 · 2024-07-30 12:56:47 +02:00
parent 6c089d3869
commit 930356f32b
4 changed files with 22 additions and 1 deletions
--- a/src/backend/InvenTree/InvenTree/forms.py
+++ b/src/backend/InvenTree/InvenTree/forms.py
@@ -15,6 +15,7 @@ from allauth.account.forms import LoginForm, SignupForm, set_form_field_order
 from allauth.core.exceptions import ImmediateHttpResponse
 from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
 from allauth_2fa.adapter import OTPAdapter
+from allauth_2fa.forms import TOTPDeviceForm
 from allauth_2fa.utils import user_has_valid_totp_device
 from crispy_forms.bootstrap import AppendedText, PrependedAppendedText, PrependedText
 from crispy_forms.helper import FormHelper
@@ -211,6 +212,16 @@ class CustomSignupForm(SignupForm):
        return cleaned_data


+class CustomTOTPDeviceForm(TOTPDeviceForm):
+    """Ensure that db registration is enabled."""
+
+    def __init__(self, user, metadata=None, **kwargs):
+        """Override to check if registration is open."""
+        if not settings.MFA_ENABLED:
+            raise forms.ValidationError(_('MFA Registration is disabled.'))
+        super().__init__(user, metadata, **kwargs)
+
+
 def registration_enabled():
    """Determine whether user registration is enabled."""
    if get_global_setting('LOGIN_ENABLE_REG') or InvenTree.sso.registration_enabled():
--- a/src/backend/InvenTree/InvenTree/settings.py
+++ b/src/backend/InvenTree/InvenTree/settings.py
@@ -1210,6 +1210,9 @@ ACCOUNT_FORMS = {
    'reset_password_from_key': 'allauth.account.forms.ResetPasswordKeyForm',
    'disconnect': 'allauth.socialaccount.forms.DisconnectForm',
 }
+ALLAUTH_2FA_FORMS = {'setup': 'InvenTree.forms.CustomTOTPDeviceForm'}
+# Determine if multi-factor authentication is enabled for this server (default = True)
+MFA_ENABLED = get_boolean_setting('INVENTREE_MFA_ENABLED', 'mfa_enabled', True)

 SOCIALACCOUNT_ADAPTER = 'InvenTree.forms.CustomSocialAccountAdapter'
 ACCOUNT_ADAPTER = 'InvenTree.forms.CustomAccountAdapter'
--- a/src/backend/InvenTree/InvenTree/social_auth_urls.py
+++ b/src/backend/InvenTree/InvenTree/social_auth_urls.py
@@ -3,6 +3,7 @@
 import logging
 from importlib import import_module

+from django.conf import settings
 from django.urls import NoReverseMatch, include, path, reverse

 from allauth.account.models import EmailAddress
@@ -177,7 +178,9 @@ class SocialProviderListView(ListAPI):
        data = {
            'sso_enabled': InvenTree.sso.login_enabled(),
            'sso_registration': InvenTree.sso.registration_enabled(),
-            'mfa_required': get_global_setting('LOGIN_ENFORCE_MFA'),
+            'mfa_required': settings.MFA_ENABLED
+            and get_global_setting('LOGIN_ENFORCE_MFA'),
+            'mfa_enabled': settings.MFA_ENABLED,
            'providers': provider_list,
            'registration_enabled': get_global_setting('LOGIN_ENABLE_REG'),
            'password_forgotten_enabled': get_global_setting('LOGIN_ENABLE_PWD_FORGOT'),