Add 'otp_force' basic setting (#1051)

If the 'otp_force' and 'otp_field_enabled' basic settings are both enabled, automatically enable 2FA for the user after login or signup, if needed, by setting a new OTP secret. Redirect the user to a welcome page for scanning the QR code.

Also show the secret key in ASCII form on the user profile page for easier copying into other applications.

powerdnsadmin/models/setting.py

@@ -189,6 +189,7 @@ class Setting(db.Model):
         'ttl_options': '1 minute,5 minutes,30 minutes,60 minutes,24 hours',
         'otp_field_enabled': True,
         'custom_css': '',
+        'otp_force': False,
         'max_history_records': 1000
     }
 

powerdnsadmin/models/user.py

@@ -8,6 +8,9 @@ import ldap.filter
 from flask import current_app
 from flask_login import AnonymousUserMixin
 from sqlalchemy import orm
+import qrcode as qrc
+import qrcode.image.svg as qrc_svg
+from io import BytesIO
 
 from .base import db
 from .role import Role
@@ -633,6 +636,13 @@ class User(db.Model):
         for q in query:
             accounts.append(q[1])
         return accounts
+    
+    def get_qrcode_value(self):
+        img = qrc.make(self.get_totp_uri(),
+                    image_factory=qrc_svg.SvgPathImage)
+        stream = BytesIO()
+        img.save(stream)
+        return stream.getvalue()
 
 
     def read_entitlements(self, key):
@@ -794,7 +804,4 @@ def getUserInfo(DomainsOrAccounts):
     current=[]
     for DomainOrAccount in DomainsOrAccounts:
         current.append(DomainOrAccount.name)
-    return current
-
-        
-
+    return current