feat: Allow organisation admins to mandate 2fa for their organisation (…

…#2877)
Flagsmith · Nov 13, 2023 · 1d006fb · 1d006fb · vercel · Nov 13, 2023
1 parent 46ccc47
commit 1d006fb
Show file tree

Hide file tree

Showing 8 changed files with 46 additions and 9 deletions.
diff --git a/api/organisations/migrations/0047_organisation_force_2fa.py b/api/organisations/migrations/0047_organisation_force_2fa.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.20 on 2023-10-23 14:33
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('organisations', '0046_allow_allowed_projects_to_be_null'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='organisation',
+            name='force_2fa',
+            field=models.BooleanField(default=False),
+        ),
+    ]
diff --git a/api/organisations/models.py b/api/organisations/models.py
@@ -78,6 +78,7 @@ class Organisation(LifecycleModelMixin, SoftDeleteExportableModel):
     feature_analytics = models.BooleanField(
         default=False, help_text="Record feature analytics in InfluxDB"
     )
+    force_2fa = models.BooleanField(default=False)
 
     class Meta:
         ordering = ["id"]

diff --git a/api/organisations/serializers.py b/api/organisations/serializers.py
@@ -45,6 +45,7 @@ class Meta:
             "persist_trait_data",
             "block_access_to_admin",
             "restrict_project_create_to_admin",
+            "force_2fa",
         )
         read_only_fields = (
             "id",

diff --git a/frontend/common/dispatcher/app-actions.js b/frontend/common/dispatcher/app-actions.js
@@ -21,9 +21,10 @@ const AppActions = Object.assign({}, require('./base/_app-actions'), {
       identity,
     })
   },
-  confirmTwoFactor(pin, onError) {
+  confirmTwoFactor(pin, onError, isLoginPage) {
     Dispatcher.handleViewAction({
       actionType: Actions.CONFIRM_TWO_FACTOR,
+      isLoginPage,
       onError,
       pin,
     })

diff --git a/frontend/common/stores/account-store.js b/frontend/common/stores/account-store.js
@@ -39,7 +39,7 @@ const controller = {
         API.ajaxHandler(store, e)
       })
   },
-  confirmTwoFactor: (pin, onError) => {
+  confirmTwoFactor: (pin, onError, isLoginPage) => {
     store.saving()
 
     return data
@@ -50,6 +50,9 @@ const controller = {
         store.model.twoFactorConfirmed = true
 
         store.saved()
+        if (isLoginPage) {
+          window.location.href = `/projects`
+        }
       })
       .catch((e) => {
         if (onError) {
@@ -158,7 +161,7 @@ const controller = {
       })
       .then((res) => {
         API.trackEvent(Constants.events.LOGIN)
-
+        store.samlOrOauth = false
         if (res.ephemeral_token) {
           store.ephemeral_token = res.ephemeral_token
           store.model = {
@@ -189,6 +192,7 @@ const controller = {
         },
       )
       .then((res) => {
+        store.samlOrOauth = true
         if (res.ephemeral_token) {
           store.ephemeral_token = res.ephemeral_token
           store.model = {
@@ -381,8 +385,12 @@ const store = Object.assign({}, BaseStore, {
       return false
     }
 
+    if (store.samlOrOauth) {
+      return false
+    }
+
     return (
-      Utils.getFlagsmithHasFeature('forced_2fa') &&
+      Utils.getFlagsmithHasFeature('force_2fa') &&
       store.getOrganisations() &&
       store.getOrganisations().find((o) => o.force_2fa)
     )
@@ -505,7 +513,11 @@ store.dispatcherIndex = Dispatcher.register(store, (payload) => {
       controller.enableTwoFactor()
       break
     case Actions.CONFIRM_TWO_FACTOR:
-      controller.confirmTwoFactor(action.pin, action.onError)
+      controller.confirmTwoFactor(
+        action.pin,
+        action.onError,
+        action.isLoginPage,
+      )
       break
     case Actions.DISABLE_TWO_FACTOR:
       controller.disableTwoFactor()

diff --git a/frontend/web/components/App.js b/frontend/web/components/App.js
@@ -275,7 +275,7 @@ const App = class extends Component {
       )
     }
     if (AccountStore.forced2Factor()) {
-      return <AccountSettingsPage />
+      return <AccountSettingsPage isLoginPage={true} />
     }
     const projectNotLoaded =
       !ProjectStore.model && document.location.href.includes('project/')

diff --git a/frontend/web/components/TwoFactor.js b/frontend/web/components/TwoFactor.js
@@ -13,7 +13,7 @@ export default class TheComponent extends PureComponent {
   onError = () => this.setState({ error: true })
 
   render() {
-    // const { props } = this;
+    const { isLoginPage } = this.props
     return (
       <div>
         <AccountProvider>
@@ -38,7 +38,11 @@ export default class TheComponent extends PureComponent {
                 }
                 onRegister={() => {
                   this.setState({ error: null })
-                  confirmTwoFactor(this.state.pin, this.onError)
+                  confirmTwoFactor(
+                    this.state.pin,
+                    this.onError,
+                    isLoginPage || false,
+                  )
                 }}
               />
             </div>

diff --git a/frontend/web/components/pages/AccountSettingsPage.js b/frontend/web/components/pages/AccountSettingsPage.js
@@ -152,7 +152,7 @@ class TheComponent extends Component {
                 One of your organisations has enfoced Two-Factor Authentication,
                 please enable it to continue.
               </p>
-              <TwoFactor />
+              <TwoFactor isLoginPage={true} />
             </div>
           ) : (
             <div className='app-container container'>