django-mfa3: multi factor authentication for django - Merge pull request #17 from humphrey/http-on-localhost

commit: be6b093e7ce8a11499860ea39c692c0ac72662f8
parent: a77094f37fc308481632847dacf16be9c7e21530
Author: Tobias Bengfort <tobias.bengfort@posteo.de>
Date: 2023-04-13 05:24

Merge pull request #17 from humphrey/http-on-localhost

Allow http on localhost

Diffstat

mfa/methods/fido2.py

++++++++++++++++++++++++++++++++---

1 files changed, 32 insertions, 3 deletions

diff --git a/mfa/methods/fido2.py b/mfa/methods/fido2.py

@@ -1,3 +1,7 @@
   -1     1 from typing import Union
   -1     2 from urllib.parse import urlparse
   -1     3 
   -1     4 from django.conf import settings as django_settings
    1     5 from fido2 import cbor
    2     6 from fido2.server import Fido2Server
    3     7 from fido2.utils import websafe_decode
@@ -12,9 +16,34 @@ from .. import settings
   12    16 
   13    17 name = 'FIDO2'
   14    18 
   15    -1 fido2 = Fido2Server(PublicKeyCredentialRpEntity(
   16    -1     id=settings.DOMAIN, name=settings.SITE_TITLE
   17    -1 ))
   -1    19 
   -1    20 def _get_verify_origin_fn():
   -1    21     """
   -1    22     Returns a custom verify_origin function which allows HTTP if using localhost.
   -1    23     Why: browsers are allowed to consider localhost as a secure context, which is helpful for development.
   -1    24     Setting a custom verify_origin like this is the solution suggested by python-fido2.
   -1    25     See https://github.com/Yubico/python-fido2/issues/122
   -1    26     """
   -1    27 
   -1    28     def is_localhost(hostname: Union[str,bytes]):
   -1    29         return hostname == 'localhost' or hostname.endswith('.localhost')
   -1    30 
   -1    31     # This is the custom verify_origin function
   -1    32     def verify_localhost_origin(origin):
   -1    33         return is_localhost(urlparse(origin).hostname)
   -1    34 
   -1    35     # This custom function is only helpful if configured to use localhost in development
   -1    36     if django_settings.DEBUG and is_localhost(settings.DOMAIN):
   -1    37         return verify_localhost_origin
   -1    38 
   -1    39     # If custom function is not needed, fallback to using the python-fido2 default function.
   -1    40     return None
   -1    41 
   -1    42 
   -1    43 fido2 = Fido2Server(
   -1    44     rp=PublicKeyCredentialRpEntity(id=settings.DOMAIN, name=settings.SITE_TITLE),
   -1    45     verify_origin=_get_verify_origin_fn(),
   -1    46 )
   18    47 
   19    48 
   20    49 def encode(data):