stages/authenticator_static: make static token size adjustable (#6565)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-08-17 22:48:05 +01:00 · 2023-08-17 22:48:05 +01:00 · 7b3d1a229f
parent 1d99ec95b5
commit 7b3d1a229f
18 changed files with 202 additions and 37 deletions
--- a/authentik/stages/authenticator_static/api.py
+++ b/authentik/stages/authenticator_static/api.py
@ -18,7 +18,12 @@ class AuthenticatorStaticStageSerializer(StageSerializer):
    class Meta:
        model = AuthenticatorStaticStage
-        fields = StageSerializer.Meta.fields + ["configure_flow", "friendly_name", "token_count"]
+        fields = StageSerializer.Meta.fields + [
            "configure_flow",
            "friendly_name",
            "token_count",
            "token_length",
        ]
 class AuthenticatorStaticStageViewSet(UsedByMixin, ModelViewSet):
--- a/authentik/stages/authenticator_static/migrations/0007_authenticatorstaticstage_token_length_and_more.py
+++ b/authentik/stages/authenticator_static/migrations/0007_authenticatorstaticstage_token_length_and_more.py
@ -0,0 +1,22 @@
 # Generated by Django 4.2.4 on 2023-08-17 17:34
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_stages_authenticator_static", "0006_authenticatorstaticstage_friendly_name"),
    ]
    operations = [
        migrations.AddField(
            model_name="authenticatorstaticstage",
            name="token_length",
            field=models.PositiveIntegerField(default=12),
        ),
        migrations.AlterField(
            model_name="authenticatorstaticstage",
            name="token_count",
            field=models.PositiveIntegerField(default=6),
        ),
    ]
--- a/authentik/stages/authenticator_static/models.py
+++ b/authentik/stages/authenticator_static/models.py
@ -13,7 +13,8 @@ from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
 class AuthenticatorStaticStage(ConfigurableStage, FriendlyNamedStage, Stage):
    """Generate static tokens for the user as a backup."""
-    token_count = models.IntegerField(default=6)
+    token_count = models.PositiveIntegerField(default=6)
    token_length = models.PositiveIntegerField(default=12)
    @property
    def serializer(self) -> type[BaseSerializer]:
--- a/authentik/stages/authenticator_static/stage.py
+++ b/authentik/stages/authenticator_static/stage.py
@ -5,6 +5,7 @@ from rest_framework.fields import CharField, ListField
 from authentik.flows.challenge import ChallengeResponse, ChallengeTypes, WithUserInfoChallenge
 from authentik.flows.stage import ChallengeStageView
 from authentik.lib.generators import generate_id
 from authentik.stages.authenticator_static.models import AuthenticatorStaticStage
 SESSION_STATIC_DEVICE = "static_device"
@ -50,7 +51,9 @@ class AuthenticatorStaticStageView(ChallengeStageView):
            device = StaticDevice(user=user, confirmed=False, name="Static Token")
            tokens = []
            for _ in range(0, stage.token_count):
-                tokens.append(StaticToken(device=device, token=StaticToken.random_token()))
+                tokens.append(
                    StaticToken(device=device, token=generate_id(length=stage.token_length))
                )
            self.request.session[SESSION_STATIC_DEVICE] = device
            self.request.session[SESSION_STATIC_TOKENS] = tokens
        return super().get(request, *args, **kwargs)
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -5859,9 +5859,15 @@
                },
                "token_count": {
                    "type": "integer",
-                    "minimum": -2147483648,
+                    "minimum": 0,
                    "maximum": 2147483647,
                    "title": "Token count"
                },
                "token_length": {
                    "type": "integer",
                    "minimum": 0,
                    "maximum": 2147483647,
                    "title": "Token length"
                }
            },
            "required": []
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-07-28 11:50+0000\n"
+"POT-Creation-Date: 2023-08-17 17:37+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -23,11 +23,11 @@ msgstr ""
 msgid "Successfully re-scheduled Task %(name)s!"
 msgstr ""
-#: authentik/api/schema.py:21
+#: authentik/api/schema.py:24
 msgid "Generic API Error"
 msgstr ""
-#: authentik/api/schema.py:29
+#: authentik/api/schema.py:32
 msgid "Validation Error"
 msgstr ""
@ -82,11 +82,11 @@ msgstr ""
 msgid "Create a SAML Provider by importing its Metadata."
 msgstr ""
-#: authentik/core/api/users.py:144
+#: authentik/core/api/users.py:150
 msgid "No leading or trailing slashes allowed."
 msgstr ""
-#: authentik/core/api/users.py:147
+#: authentik/core/api/users.py:153
 msgid "No empty segments in user path allowed."
 msgstr ""
@ -1871,11 +1871,11 @@ msgstr ""
 msgid "Invalid phone number"
 msgstr ""
-#: authentik/stages/authenticator_static/models.py:46
+#: authentik/stages/authenticator_static/models.py:47
 msgid "Static Authenticator Stage"
 msgstr ""
-#: authentik/stages/authenticator_static/models.py:47
+#: authentik/stages/authenticator_static/models.py:48
 msgid "Static Authenticator Stages"
 msgstr ""
--- a/schema.yml
+++ b/schema.yml
@ -21101,6 +21101,10 @@ paths:
        name: token_count
        schema:
          type: integer
      - in: query
        name: token_length
        schema:
          type: integer
      tags:
      - stages
      security:
@ -27547,7 +27551,11 @@ components:
        token_count:
          type: integer
          maximum: 2147483647
-          minimum: -2147483648
+          minimum: 0
        token_length:
          type: integer
          maximum: 2147483647
          minimum: 0
      required:
      - component
      - meta_model_name
@ -27579,7 +27587,11 @@ components:
        token_count:
          type: integer
          maximum: 2147483647
-          minimum: -2147483648
+          minimum: 0
        token_length:
          type: integer
          maximum: 2147483647
          minimum: 0
      required:
      - name
    AuthenticatorTOTPChallenge:
@ -34502,7 +34514,11 @@ components:
        token_count:
          type: integer
          maximum: 2147483647
-          minimum: -2147483648
+          minimum: 0
        token_length:
          type: integer
          maximum: 2147483647
          minimum: 0
    PatchedAuthenticatorTOTPStageRequest:
      type: object
      description: AuthenticatorTOTPStage Serializer
--- a/web/src/admin/stages/authenticator_static/AuthenticatorStaticStageForm.ts
+++ b/web/src/admin/stages/authenticator_static/AuthenticatorStaticStageForm.ts
@ -92,6 +92,28 @@ export class AuthenticatorStaticStageForm extends ModelForm<AuthenticatorStaticS
                            class="pf-c-form-control"
                            required
                        />
                        <p class="pf-c-form__helper-text">
                            ${msg(
                                "The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device.",
                            )}
                        </p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
                        label=${msg("Token length")}
                        ?required=${true}
                        name="tokenLength"
                    >
                        <input
                            type="text"
                            value="${first(this.instance?.tokenLength, 12)}"
                            class="pf-c-form-control"
                            required
                        />
                        <p class="pf-c-form__helper-text">
                            ${msg(
                                "The length of the individual generated tokens. Can be increased to improve security.",
                            )}
                        </p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
                        label=${msg("Configuration flow")}
--- a/web/xliff/de.xlf
+++ b/web/xliff/de.xlf
@ -5879,6 +5879,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7cfe12cd14df9950">
  <source>Sign out</source>
 </trans-unit>
 <trans-unit id="s7caa8f7edb920909">
  <source>The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device.</source>
 </trans-unit>
 <trans-unit id="s4aacc4e0277c1042">
  <source>Token length</source>
 </trans-unit>
 <trans-unit id="s6931695c4f563bc4">
  <source>The length of the individual generated tokens. Can be increased to improve security.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/en.xlf
+++ b/web/xliff/en.xlf
@ -6195,6 +6195,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7cfe12cd14df9950">
  <source>Sign out</source>
 </trans-unit>
 <trans-unit id="s7caa8f7edb920909">
  <source>The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device.</source>
 </trans-unit>
 <trans-unit id="s4aacc4e0277c1042">
  <source>Token length</source>
 </trans-unit>
 <trans-unit id="s6931695c4f563bc4">
  <source>The length of the individual generated tokens. Can be increased to improve security.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/es.xlf
+++ b/web/xliff/es.xlf
@ -5787,6 +5787,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7cfe12cd14df9950">
  <source>Sign out</source>
 </trans-unit>
 <trans-unit id="s7caa8f7edb920909">
  <source>The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device.</source>
 </trans-unit>
 <trans-unit id="s4aacc4e0277c1042">
  <source>Token length</source>
 </trans-unit>
 <trans-unit id="s6931695c4f563bc4">
  <source>The length of the individual generated tokens. Can be increased to improve security.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/fr_FR.xlf
+++ b/web/xliff/fr_FR.xlf
@ -5894,6 +5894,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7cfe12cd14df9950">
  <source>Sign out</source>
 </trans-unit>
 <trans-unit id="s7caa8f7edb920909">
  <source>The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device.</source>
 </trans-unit>
 <trans-unit id="s4aacc4e0277c1042">
  <source>Token length</source>
 </trans-unit>
 <trans-unit id="s6931695c4f563bc4">
  <source>The length of the individual generated tokens. Can be increased to improve security.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pl.xlf
+++ b/web/xliff/pl.xlf
@ -6026,6 +6026,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7cfe12cd14df9950">
  <source>Sign out</source>
 </trans-unit>
 <trans-unit id="s7caa8f7edb920909">
  <source>The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device.</source>
 </trans-unit>
 <trans-unit id="s4aacc4e0277c1042">
  <source>Token length</source>
 </trans-unit>
 <trans-unit id="s6931695c4f563bc4">
  <source>The length of the individual generated tokens. Can be increased to improve security.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pseudo-LOCALE.xlf
+++ b/web/xliff/pseudo-LOCALE.xlf
@ -6130,6 +6130,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7cfe12cd14df9950">
  <source>Sign out</source>
 </trans-unit>
 <trans-unit id="s7caa8f7edb920909">
  <source>The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device.</source>
 </trans-unit>
 <trans-unit id="s4aacc4e0277c1042">
  <source>Token length</source>
 </trans-unit>
 <trans-unit id="s6931695c4f563bc4">
  <source>The length of the individual generated tokens. Can be increased to improve security.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/tr.xlf
+++ b/web/xliff/tr.xlf
@ -5777,6 +5777,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7cfe12cd14df9950">
  <source>Sign out</source>
 </trans-unit>
 <trans-unit id="s7caa8f7edb920909">
  <source>The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device.</source>
 </trans-unit>
 <trans-unit id="s4aacc4e0277c1042">
  <source>Token length</source>
 </trans-unit>
 <trans-unit id="s6931695c4f563bc4">
  <source>The length of the individual generated tokens. Can be increased to improve security.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh-Hans.xlf
+++ b/web/xliff/zh-Hans.xlf
@ -618,9 +618,9 @@
      </trans-unit>
      <trans-unit id="saa0e2675da69651b">
-        <source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
+        <source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
-        <target>未找到 URL &quot; 
+        <target>未找到 URL " 
-        <x id="0" equiv-text="${this.url}"/>&quot;。</target>
+        <x id="0" equiv-text="${this.url}"/>"。</target>
      </trans-unit>
      <trans-unit id="s58cd9c2fe836d9c6">
@ -1072,8 +1072,8 @@
      </trans-unit>
      <trans-unit id="sa8384c9c26731f83">
-        <source>To allow any redirect URI, set this value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
+        <source>To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.</source>
-        <target>要允许任何重定向 URI，请将此值设置为 &quot;.*&quot;。请注意这可能带来的安全影响。</target>
+        <target>要允许任何重定向 URI，请将此值设置为 ".*"。请注意这可能带来的安全影响。</target>
      </trans-unit>
      <trans-unit id="s55787f4dfcdce52b">
@ -1819,8 +1819,8 @@
      </trans-unit>
      <trans-unit id="sa90b7809586c35ce">
-        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
+        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
-        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 &quot;fa-test&quot;。</target>
+        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。</target>
      </trans-unit>
      <trans-unit id="s0410779cb47de312">
@ -3248,8 +3248,8 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s76768bebabb7d543">
-        <source>Field which contains members of a group. Note that if using the &quot;memberUid&quot; field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
+        <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
-        <target>包含组成员的字段。请注意，如果使用 &quot;memberUid&quot; 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
+        <target>包含组成员的字段。请注意，如果使用 "memberUid" 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
      </trans-unit>
      <trans-unit id="s026555347e589f0e">
@ -4046,8 +4046,8 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s7b1fba26d245cb1c">
-        <source>When using an external logging solution for archiving, this can be set to &quot;minutes=5&quot;.</source>
+        <source>When using an external logging solution for archiving, this can be set to "minutes=5".</source>
-        <target>使用外部日志记录解决方案进行存档时，可以将其设置为 &quot;minutes=5&quot;。</target>
+        <target>使用外部日志记录解决方案进行存档时，可以将其设置为 "minutes=5"。</target>
      </trans-unit>
      <trans-unit id="s44536d20bb5c8257">
@ -4056,8 +4056,8 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s3bb51cabb02b997e">
-        <source>Format: &quot;weeks=3;days=2;hours=3,seconds=2&quot;.</source>
+        <source>Format: "weeks=3;days=2;hours=3,seconds=2".</source>
-        <target>格式：&quot;weeks=3;days=2;hours=3,seconds=2&quot;。</target>
+        <target>格式："weeks=3;days=2;hours=3,seconds=2"。</target>
      </trans-unit>
      <trans-unit id="s04bfd02201db5ab8">
@ -4253,10 +4253,10 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="sa95a538bfbb86111">
-        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
+        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
        <target>您确定要更新 
-        <x id="0" equiv-text="${this.objectLabel}"/>&quot; 
+        <x id="0" equiv-text="${this.objectLabel}"/>" 
-        <x id="1" equiv-text="${this.obj?.name}"/>&quot; 吗？</target>
+        <x id="1" equiv-text="${this.obj?.name}"/>" 吗？</target>
      </trans-unit>
      <trans-unit id="sc92d7cfb6ee1fec6">
@ -5372,7 +5372,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="sdf1d8edef27236f0">
-        <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
+        <source>A "roaming" authenticator, like a YubiKey</source>
        <target>像 YubiKey 这样的“漫游”身份验证器</target>
      </trans-unit>
@ -5712,10 +5712,10 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s2d5f69929bb7221d">
-        <source><x id="0" equiv-text="${prompt.name}"/> (&quot;<x id="1" equiv-text="${prompt.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${prompt.type}"/>)</source>
+        <source><x id="0" equiv-text="${prompt.name}"/> ("<x id="1" equiv-text="${prompt.fieldKey}"/>", of type <x id="2" equiv-text="${prompt.type}"/>)</source>
        <target>
-        <x id="0" equiv-text="${prompt.name}"/>（&quot; 
+        <x id="0" equiv-text="${prompt.name}"/>（" 
-        <x id="1" equiv-text="${prompt.fieldKey}"/>&quot;，类型为 
+        <x id="1" equiv-text="${prompt.fieldKey}"/>"，类型为 
        <x id="2" equiv-text="${prompt.type}"/>）</target>
      </trans-unit>
@ -5764,7 +5764,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s1608b2f94fa0dbd4">
-        <source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
+        <source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
        <target>如果设置时长大于 0，用户可以选择“保持登录”选项，这将使用户的会话延长此处设置的时间。</target>
      </trans-unit>
@ -7756,6 +7756,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s7cfe12cd14df9950">
  <source>Sign out</source>
  <target>登出</target>
 </trans-unit>
 <trans-unit id="s7caa8f7edb920909">
  <source>The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device.</source>
 </trans-unit>
 <trans-unit id="s4aacc4e0277c1042">
  <source>Token length</source>
 </trans-unit>
 <trans-unit id="s6931695c4f563bc4">
  <source>The length of the individual generated tokens. Can be increased to improve security.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh-Hant.xlf
+++ b/web/xliff/zh-Hant.xlf
@ -5832,6 +5832,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7cfe12cd14df9950">
  <source>Sign out</source>
 </trans-unit>
 <trans-unit id="s7caa8f7edb920909">
  <source>The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device.</source>
 </trans-unit>
 <trans-unit id="s4aacc4e0277c1042">
  <source>Token length</source>
 </trans-unit>
 <trans-unit id="s6931695c4f563bc4">
  <source>The length of the individual generated tokens. Can be increased to improve security.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh_TW.xlf
+++ b/web/xliff/zh_TW.xlf
@ -5831,6 +5831,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7cfe12cd14df9950">
  <source>Sign out</source>
 </trans-unit>
 <trans-unit id="s7caa8f7edb920909">
  <source>The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device.</source>
 </trans-unit>
 <trans-unit id="s4aacc4e0277c1042">
  <source>Token length</source>
 </trans-unit>
 <trans-unit id="s6931695c4f563bc4">
  <source>The length of the individual generated tokens. Can be increased to improve security.</source>
 </trans-unit>
    </body>
  </file>