Added multi-factor authentication for account login

[mschwager]

Fixes #996.

Hey all,

I'm hoping to get some early feedback on this MFA work. Here's the current workflow:

Visit the account management page and configure MFA

Then, when logging in, you're presented with the same primary authentication page

If MFA is enabled for that user then you'll be asked to input an authentication token

This workflow is similar to what we were discussing in IRC. There's undoubtedly some UI/UX improvements to be made, but I was hoping to get some eyes (@dstufft, @di, @sergeykolosov, others?) on this as soon as possible. Addtionally, there's some things that need to be done, and probably some that should be done, before this is ready for prime time:

• Pass username/password along to MFA form when performing secondary authentication
• Allow disabling of MFA in account management
• Add additional MFA tests for the accounts views page
• Spot check UI/UX/verbiage

I'm about to take off for the weekend and was hoping to get this up before then :)

[mschwager]

Okay, finally appeased the linter and maintained 100% test coverage. Not sure what's up with the Dependencies job, it's been consistently failing on every run for reasons that aren't immediately obvious.

[di]

@mschwager The dependencies job is failing because you've added pyotp to requirements/main.txt, but it's not in requirements/main.in.

[mschwager]

Wooo! Everything passed - thanks @di!

[di]

No problem! Thanks for this work. Bear with us as it might take us a bit to fully review this.

[mschwager]

This check is a bit awkward. Basically, we have to check if _form_class is the default value set in the keyword argument. If we don't then testing becomes difficult because passing in a stubbed form_class will be overwritten when we set it to LoginWithMfaForm.

I typically don't like writing code that's been contorted to make tests pass, but I couldn't see a good way around it without a more significant refactor. I'm open to ideas though!

[mschwager]

I just rebased on top of master.

Looks like the Dependencies CI job is complaining again:

echo "$DEPCHECKER" | python - /tmp/tmp.xiuuNpsu8m/main.txt requirements/main.txt
+ future
make[1]: *** [deps] Error 1
make[1]: Leaving directory `/home/travis/build/pypa/warehouse'
make: *** [travis-deps] Error 2

It looks like it's complaining that future is in requirements/main.txt but not requirements/main.in. That's how it is on master, though, so I'm not sure how CI is succeeding there.

[di]

@mschwager It's due to a recent release of readme_renderer which removes the future dependency. That will be fixed in #4965.

[mschwager]

Ahhh - thanks for the heads up! I rebased on master and it looks like it's fixed!

[mschwager]

I've rebased on top of the latest code in master. Still hoping to get a review on this.

[brainwane]

As @woodruffw said about a related PR:

I've restarted work on this in master...trailofbits:tob/996-add-2fa-support. Will open a PR shortly so that others can review progress in real time.

His PR is #5567.

(Context: this grant-funded project.)

[brainwane]

@mschwager Your work is one of the sources Will is learning from here -- thank you so much for it!

[di]

Closing in favor of #5567, but thank you for your contribution!