feat: require 2fa for new users #14294
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduced in pypi#14126, check was only applied for the SessionSecurityPolicy. Migrating it into the common helper applies to both Session and BasicAuth policies. It was implicitly being checked before with BasicAuth via `_check_mfa` which, if enabled and mandated, would have required a verified email anyhow. Moving it into the helper allows us to have a consistent requirement across both policies. Signed-off-by: Mike Fiedler <miketheman@gmail.com>
Hooks into security policy to require all non-account management actions to have a form of 2FA set up. Adds a time-based restriction for new users, which we can remove when we want to enforce for everyone. Resolves pypi#13762 Signed-off-by: Mike Fiedler <miketheman@gmail.com>
Signed-off-by: Mike Fiedler <miketheman@gmail.com>
|
The current user experience behaves the same for anyone prior to 2023-08-01 regardless of 2FA status. For anyone past that date, they will still have the top banner prompt (unless they dismiss it) but then any management action they attempt without 2FA enabled will flash a red banner and dump them on the 2FA enrollment page. |
ewdurbin
approved these changes
Aug 7, 2023
Signed-off-by: Mike Fiedler <miketheman@gmail.com>
miketheman
added a commit
to miketheman/warehouse
that referenced
this pull request
Aug 17, 2023
Prior to this change, after a user has registered, and verified their email address, they end up on their own account management page. If they try to take any non-account actions, they get a red bar telling them to set up 2FA. Since we will already show users a blue notice that they _can_ set up 2FA, why not send them there immediately after confirming their email to complete the task. The template change is to prevent adding the blue bar at the top of the session, since they are already on the right page. We can deduce that from the `Referrer` header. Follows pypi#14294 Signed-off-by: Mike Fiedler <miketheman@gmail.com>
miketheman
added a commit
to miketheman/warehouse
that referenced
this pull request
Sep 7, 2023
Expand the policy to include file upload actions. Follows pypi#14294 Refs pypi#13762 Signed-off-by: Mike Fiedler <miketheman@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hooks into security policy to require all non-account management actions
to have a form of 2FA set up.
Adds a time-based restriction for new users, which we can remove when we
want to enforce for everyone.
Resolves #13762
Includes refactor adf056e