gnh1201/mastodon
1
0
Fork 0
mirror of https://github.com/mastodon/mastodon.git synced 2025-09-05 17:31:12 +00:00
Code Issues Actions 34 Packages Projects Releases Wiki Activity

feature/require-mfa-by-admin - move docs

Browse Source
This commit is contained in:
Fredys Fonseca 2025-07-23 04:01:53 +00:00 committed by Fredys Fonseca Consuegra
parent df97c75d34
commit 1c52aa76eb
7 changed files with 13 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.env.development
View File

@ -2,6 +2,3 @@
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=fkSxKD2bF396kdQbrP1EJ7WbU7ZgNokR
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=r0hvVmzBVsjxC7AMlwhOzmtc36ZCOS1E
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=PhdFyyfy5xJ7WVd2lWBpcPScRQHzRTNr
#testing MFA Enforcement
MFA_FORCE=true

3
.env.production.sample
View File

@ -109,3 +109,6 @@ FETCH_REPLIES_MAX_SINGLE=500
# Max number of replies Collection pages to fetch - total
FETCH_REPLIES_MAX_PAGES=500
# MFA Required for Users
REQUIRE_MULTI_FACTOR_AUTH=false

4
app/controllers/concerns/mfa_force_concern.rb
View File

@ -14,12 +14,12 @@ module MfaForceConcern
return if current_user.otp_enabled?
return if mfa_setup_allowed_paths?
flash[:warning] = I18n.t('mfa_force.required_message')
flash[:warning] = I18n.t('require_multi_factor_auth.required_message')
redirect_to settings_otp_authentication_path
end
def mfa_force_enabled?
ENV['MFA_FORCE'] == 'true'
ENV['REQUIRE_MULTI_FACTOR_AUTH'] == 'true'
end
def mfa_setup_allowed_paths?

2
config/locales/en.yml
View File

@ -2119,6 +2119,6 @@ en:
otp_required: To use security keys please enable two-factor authentication first.
registered_on: Registered on %{date}
mfa_force:
require_multi_factor_auth:
required_message: The administrator of this site has configured as mandatory that users enable two-factor authentication due to security policies. Please configure your two-factor authentication to continue using the platform.
security_policy: Security Policy Requirement

6
config/locales/es.yml
View File

@ -2116,8 +2116,4 @@ es:
not_enabled: Aún no has activado WebAuthn
not_supported: Este navegador no soporta claves de seguridad
otp_required: Para usar claves de seguridad, por favor habilite primero la autenticación de doble factor.
registered_on: Registrado el %{date}
mfa_force:
required_message: El administrador de este sitio ha configurado como obligatorio que los usuarios habiliten la autenticación de dos factores debido a las políticas de seguridad. Por favor, configura tu autenticación de dos factores para continuar usando la plataforma.
security_policy: Requisito de Política de Seguridad
registered_on: Registrado el %{date}

139
docs/MFA_FORCE.md
View File

@ -1,139 +0,0 @@
# MFA Force Feature
## Overview
The MFA Force feature allows administrators to require all users to enable two-factor authentication (2FA) before they can access the platform. This is useful for organizations with strict security policies.
## Configuration
### Environment Variable
To enable MFA forcing, set the following environment variable:
```bash
MFA_FORCE=true
```
### Docker Compose
Add the environment variable to your `.env.production` file:
```env
MFA_FORCE=true
```
Or add it directly to your `docker-compose.yml`:
```yaml
services:
web:
environment:
- MFA_FORCE=true
# ... other configuration
```
## Behavior
When `MFA_FORCE=true` is set:
1. **After Login**: Users who don't have 2FA enabled will be automatically redirected to the 2FA setup page (`/settings/otp_authentication`)
2. **Message Display**: A warning message (using Mastodon's flash message system) is shown explaining that 2FA is required due to security policies
3. **Access Restriction**: Users cannot access most parts of the platform until they configure 2FA
4. **Allowed Pages**: Users can still access:
- 2FA setup pages (`/settings/otp_authentication`)
- 2FA confirmation pages (`/settings/two_factor_authentication/confirmation`)
- Account settings (`/settings/profile`)
- Logout (`/auth/sign_out`)
- Setup pages for unconfirmed users (`/auth/setup`)
5. **User Experience**: A clear message explains why 2FA is required and guides users through the setup process
## User Interface
### Message Display
When MFA forcing is enabled, users will see:
- **Warning Message**: "The administrator of this site has configured as mandatory that users enable two-factor authentication due to security policies. Please configure your two-factor authentication to continue using the platform."
- **Flash Message**: Uses Mastodon's built-in flash message system with warning styling
- **Visual Indicator**: A prominent notice on the 2FA setup page with a security icon
### Multi-language Support
The feature includes translations for:
- English
- Spanish
- And other supported languages
## Implementation Details
### Files Modified
1. **`app/controllers/concerns/mfa_force_concern.rb`**: Core logic for checking MFA requirements
2. **`app/controllers/application_controller.rb`**: Includes the MFA force concern
3. **`app/helpers/flashes_helper.rb`**: Updated to support warning flash messages
4. **`app/views/settings/two_factor_authentication/otp_authentication/show.html.haml`**: Updated to show the forced MFA message
5. **`app/javascript/styles/mastodon/forms.scss`**: Added styles for the MFA force notice
6. **`config/locales/en.yml`**: English translations
7. **`config/locales/es.yml`**: Spanish translations
### Testing
Run the tests to verify the functionality:
```bash
bundle exec rspec spec/controllers/concerns/mfa_force_concern_spec.rb
```
## Security Considerations
- **Existing Users**: Users who already have 2FA enabled are not affected
- **New Users**: All new users must configure 2FA before accessing the platform
- **Admin Access**: Administrators are also subject to this requirement
- **Graceful Degradation**: If the environment variable is not set, the feature is disabled
## Troubleshooting
### Common Issues
1. **Users can't access the platform**: Ensure they complete 2FA setup
2. **Message not appearing**: Check that `MFA_FORCE=true` is set correctly
3. **Translation missing**: Add translations to the appropriate locale files
### Disabling the Feature
To disable MFA forcing:
```bash
# Remove the environment variable or set it to false
MFA_FORCE=false
# or
unset MFA_FORCE
```
## Migration Guide
### For Existing Instances
1. **Backup**: Always backup your database before enabling this feature
2. **Communication**: Inform users about the new requirement
3. **Testing**: Test in a staging environment first
4. **Gradual Rollout**: Consider enabling for specific user groups first
### For New Instances
1. Set `MFA_FORCE=true` in your environment configuration
2. All new users will be required to set up 2FA during registration
## Related Features
- **Two-Factor Authentication**: The underlying 2FA system
- **Account Security**: General security features
- **User Management**: Admin tools for managing user accounts

12
spec/controllers/concerns/mfa_force_concern_spec.rb
View File

@ -16,9 +16,9 @@ RSpec.describe MfaForceConcern do
end
describe 'MFA force functionality' do
context 'when MFA_FORCE is enabled' do
context 'when REQUIRE_MULTI_FACTOR_AUTH is enabled' do
before do
allow(ENV).to receive(:[]).with('MFA_FORCE').and_return('true')
allow(ENV).to receive(:[]).with('REQUIRE_MULTI_FACTOR_AUTH').and_return('true')
sign_in user, scope: :user
end
@ -45,7 +45,7 @@ RSpec.describe MfaForceConcern do
it 'shows the required message' do
get :index
expect(flash[:warning]).to eq(I18n.t('mfa_force.required_message'))
expect(flash[:warning]).to eq(I18n.t('require_multi_factor_auth.required_message'))
end
context 'when accessing MFA setup pages' do
@ -70,9 +70,9 @@ RSpec.describe MfaForceConcern do
end
end
context 'when MFA_FORCE is disabled' do
context 'when REQUIRE_MULTI_FACTOR_AUTH is disabled' do
before do
allow(ENV).to receive(:[]).with('MFA_FORCE').and_return('false')
allow(ENV).to receive(:[]).with('REQUIRE_MULTI_FACTOR_AUTH').and_return('false')
sign_in user, scope: :user
user.update(otp_required_for_login: false)
end
@ -85,7 +85,7 @@ RSpec.describe MfaForceConcern do
context 'when user is not signed in' do
before do
allow(ENV).to receive(:[]).with('MFA_FORCE').and_return('true')
allow(ENV).to receive(:[]).with('REQUIRE_MULTI_FACTOR_AUTH').and_return('true')
end
it 'allows access to normal pages' do