add password and TOTP PIN fields to user form with validation and QR code generation

2026-03-17 14:26:18 +00:00 · 2026-03-15 17:08:58 -03:00
parent 75d4fb022b
commit 2386d8fbb3
3 changed files with 183 additions and 5 deletions
--- a/gatekeeper/forms.py
+++ b/gatekeeper/forms.py
@@ -1,7 +1,10 @@
+import re
+
 import pyotp
+from argon2 import PasswordHasher
 from crispy_forms.bootstrap import PrependedText
 from crispy_forms.helper import FormHelper
-from crispy_forms.layout import Layout, Submit, HTML, Div, Field
+from crispy_forms.layout import Layout, Submit, HTML, Div
 from django import forms
 from django.utils.translation import gettext_lazy as _

@@ -10,13 +13,30 @@ from gatekeeper.models import GatekeeperUser, GatekeeperGroup, AuthMethod, AuthM


 class GatekeeperUserForm(forms.ModelForm):
+    password = forms.CharField(
+        label=_('Password'),
+        required=False,
+        widget=forms.PasswordInput(render_value=False),
+        help_text=_('Minimum 8 characters, with at least one uppercase letter, one lowercase letter, and one number.'),
+    )
+    password_confirm = forms.CharField(
+        label=_('Confirm Password'),
+        required=False,
+        widget=forms.PasswordInput(render_value=False),
+    )
+    totp_pin = forms.CharField(
+        label=_('TOTP Validation PIN'),
+        max_length=6,
+        required=False,
+        help_text=_('Enter a 6-digit PIN generated by your authenticator app to validate the secret.'),
+    )
+
    class Meta:
        model = GatekeeperUser
-        fields = ['username', 'email', 'password', 'totp_secret']
+        fields = ['username', 'email', 'totp_secret']
        labels = {
            'username': _('Username'),
            'email': _('Email'),
-            'password': _('Password'),
            'totp_secret': _('TOTP Secret'),
        }

@@ -24,6 +44,10 @@ class GatekeeperUserForm(forms.ModelForm):
        cancel_url = kwargs.pop('cancel_url', '#')
        super().__init__(*args, **kwargs)

+        is_edit = bool(self.instance and self.instance.pk)
+        self.fields['password'].required = not is_edit
+        self.fields['password_confirm'].required = not is_edit
+
        self.helper = FormHelper()
        self.helper.layout = Layout(
            Div(
@@ -32,8 +56,13 @@ class GatekeeperUserForm(forms.ModelForm):
                css_class='row'
            ),
            Div(
-                Div(Field('password', type='password'), css_class='col-xl-6'),
+                Div('password', css_class='col-xl-6'),
+                Div('password_confirm', css_class='col-xl-6'),
+                css_class='row'
+            ),
+            Div(
                Div('totp_secret', css_class='col-xl-6'),
+                Div('totp_pin', css_class='col-xl-6'),
                css_class='row'
            ),
            Div(
@@ -46,6 +75,52 @@ class GatekeeperUserForm(forms.ModelForm):
            )
        )

+    def clean(self):
+        cleaned_data = super().clean()
+        password = cleaned_data.get('password')
+        password_confirm = cleaned_data.get('password_confirm')
+        totp_secret = cleaned_data.get('totp_secret')
+        is_new = not (self.instance and self.instance.pk)
+
+        if password or is_new:
+            if not password:
+                self.add_error('password', _('Password is required.'))
+            else:
+                if len(password) < 8:
+                    self.add_error('password', _('Password must be at least 8 characters long.'))
+                elif not re.search(r'[a-z]', password):
+                    self.add_error('password', _('Password must contain at least one lowercase letter.'))
+                elif not re.search(r'[A-Z]', password):
+                    self.add_error('password', _('Password must contain at least one uppercase letter.'))
+                elif not re.search(r'[0-9]', password):
+                    self.add_error('password', _('Password must contain at least one number.'))
+                elif password != password_confirm:
+                    self.add_error('password_confirm', _('Passwords do not match.'))
+
+        if totp_secret:
+            totp_pin = cleaned_data.get('totp_pin')
+            if not totp_pin:
+                self.add_error('totp_pin', _('Please provide a PIN to validate the TOTP secret.'))
+            else:
+                try:
+                    totp = pyotp.TOTP(totp_secret)
+                    if not totp.verify(totp_pin):
+                        self.add_error('totp_pin', _('Invalid TOTP PIN.'))
+                except Exception:
+                    self.add_error('totp_secret', _('Invalid TOTP secret format. Must be a valid Base32 string.'))
+
+        return cleaned_data
+
+    def save(self, commit=True):
+        user = super().save(commit=False)
+        password = self.cleaned_data.get('password')
+        if password:
+            ph = PasswordHasher()
+            user.password = ph.hash(password)
+        if commit:
+            user.save()
+        return user
+

 class GatekeeperGroupForm(forms.ModelForm):
    class Meta:
--- a/gatekeeper/views.py
+++ b/gatekeeper/views.py
@@ -64,12 +64,32 @@ def view_manage_gatekeeper_user(request):
        messages.success(request, _('Gatekeeper User saved successfully.'))
        return redirect(cancel_url)

+    form_description = {
+        'size': 'col-lg-6',
+        'content': _('''
+        <h4>Gatekeeper User</h4>
+        <p>Gatekeeper users are used for authenticating against protected applications managed by this gateway.</p>
+
+        <h5>Password</h5>
+        <p>Required when creating a user. When editing, leave both password fields blank to keep the current password.
+        Passwords are stored using <strong>Argon2id</strong> hashing.</p>
+
+        <h5>TOTP Secret</h5>
+        <p>Optional per-user TOTP secret. When set, this user will authenticate using their own secret instead of the
+        global TOTP secret configured on the Authentication Method. Use the buttons below the field to generate a
+        random secret and scan the QR code with your authenticator app. Validate the secret by entering the current
+        6-digit PIN before saving.</p>
+        ''')
+    }
+
    context = {
        'form': form,
+        'form_size': 'col-lg-6',
        'title': title,
        'page_title': title,
+        'form_description': form_description,
    }
-    return render(request, 'generic_form.html', context)
+    return render(request, 'gatekeeper/gatekeeper_user_form.html', context)


@login_required
--- a/templates/gatekeeper/gatekeeper_user_form.html
+++ b/templates/gatekeeper/gatekeeper_user_form.html
@@ -0,0 +1,83 @@
+{% extends 'base.html' %}
+{% load crispy_forms_tags %}
+{% load i18n %}
+
+{% block content %}
+    <div class='row'>
+        <div class='{% if form_size %}{{ form_size }}{% else %}col-lg-6{% endif %}'>
+            <div class="card card-primary card-outline">
+                {% if page_title %}
+                    <div class="card-header">
+                        <h3 class="card-title">{{ page_title }}</h3>
+                    </div>
+                {% endif %}
+                <div class="card-body row">
+                    <div class="col-lg-12">
+                            {% csrf_token %}
+                            {% crispy form %}
+                    </div>
+                </div>
+            </div>
+        </div>
+
+    {% if form_description %}
+        <div class='{% if form_description.size %}{{ form_description.size }}{% else %}col-lg-6{% endif %}'>
+            <div class="card card-primary card-outline">
+
+                <div class="card-body row">
+                    <div class="col-lg-12">
+                        {{ form_description.content|safe }}
+                    </div>
+                </div>
+            </div>
+        </div>
+    {% endif %}
+
+    </div>
+{% endblock %}
+
+{% block custom_page_scripts %}
+<script>
+    $(document).ready(function () {
+        var qrContainer = $('<div class="mt-3 text-center" style="display:none;" id="qrCodeContainer"><img id="qrCodeImg" src="" class="img-fluid" style="border: 2px solid #ddd; border-radius: 8px; max-width: 250px;"/></div>');
+        var btnShowQr = $('<button type="button" class="btn btn-sm btn-info mt-2 mr-1" id="btnShowQr"><i class="fas fa-qrcode"></i> {% trans 'View QR Code' %}</button>');
+        var btnGenerate = $('<button type="button" class="btn btn-sm btn-secondary mt-2" id="btnGenerateTotp"><i class="fas fa-sync-alt"></i> {% trans 'Generate TOTP Secret' %}</button>');
+
+        $('#div_id_totp_secret').append(btnShowQr);
+        $('#div_id_totp_secret').append(btnGenerate);
+        $('#div_id_totp_secret').append(qrContainer);
+
+        function generateBase32Secret() {
+            var chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+            var randomBytes = new Uint8Array(32);
+            window.crypto.getRandomValues(randomBytes);
+            var result = '';
+            for (var digit = 0; digit < 32; digit++) {
+                result += chars[randomBytes[digit] % 32];
+            }
+            return result;
+        }
+
+        $('#btnGenerateTotp').click(function (e) {
+            e.preventDefault();
+            $('#id_totp_secret').val(generateBase32Secret());
+            $('#qrCodeContainer').slideUp();
+        });
+
+        $('#btnShowQr').click(function (e) {
+            e.preventDefault();
+            var secret = $('#id_totp_secret').val();
+            var name = $('#id_username').val() || 'Gatekeeper';
+
+            if (!secret) {
+                alert("{% trans 'Please enter a TOTP Secret first to generate the QR code.' %}");
+                return;
+            }
+
+            var url = '/gatekeeper/auth_method/qr/?secret=' + encodeURIComponent(secret) + '&name=' + encodeURIComponent(name);
+            $('#qrCodeImg').attr('src', url);
+            $('#qrCodeContainer').slideToggle();
+        });
+    });
+</script>
+{% endblock %}