✨(web) add 2FA authentication on Django admin

Author: AntoineAugusti

src/web/config/settings/base.py

@@ -83,6 +83,9 @@
     "django_htmx",
     "huey.contrib.djhuey",
     "dsfr",
+    "django_otp",
+    "django_otp.plugins.otp_totp",
+    "django_otp.plugins.otp_static",
     "infrastructure.django_apps.shared",
     "infrastructure.django_apps.ingestion",
     "infrastructure.django_apps.candidate",
@@ -99,6 +102,7 @@
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "django_otp.middleware.OTPMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.csp.ContentSecurityPolicyMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",

src/web/config/urls.py

@@ -1,6 +1,7 @@
 from django.conf import settings
 from django.contrib import admin
 from django.urls import URLPattern, URLResolver, include, path
+from django_otp.admin import OTPAdminSite
 
 from presentation.api import urls as api_urls
 from presentation.ats import urls as ats_urls
@@ -9,6 +10,8 @@
 from presentation.pages import urls as pages_urls
 from presentation.users import urls as users_urls
 
+admin.site.__class__ = OTPAdminSite
+
 urlpatterns: list[URLPattern | URLResolver] = [
     path("", include(pages_urls)),
     path("api/", include(api_urls)),

src/web/pyproject.toml

@@ -26,6 +26,8 @@ dependencies = [
     "pypdf>=6.6.0,<7.0.0",
     "python-dateutil>=2.9.0.post0",
     "qdrant-client>=1.17.0",
+    "django-otp>=1.5.4,<2.0.0",
+    "qrcode>=8.0,<9.0",
     "redis>=7.4.0",
     "requests>=2.32.5,<2.33.0",
     "sentry-sdk[django]>=2.43.0,<3.0.0",

src/web/tests/shared/presentation/views/test_admin.py

@@ -0,0 +1,46 @@
+from http import HTTPStatus
+
+import pytest
+from django.test import Client
+from django_otp.oath import totp
+from django_otp.plugins.otp_totp.models import TOTPDevice
+
+from tests.factories.utilisateur_factory import DEFAULT_PASSWORD, UtilisateurFactory
+
+
+@pytest.mark.django_db
+class TestAdminOTPRequired:
+    def test_admin_shows_totp_input_for_staff_without_otp_device(self, client: Client):
+        user = UtilisateurFactory.create_model()
+        user.is_staff = True
+        user.is_superuser = True
+        user.save()
+
+        client.login(username=user.email, password=DEFAULT_PASSWORD)
+        response = client.get("/admin/", follow=True)
+
+        assert response.status_code == HTTPStatus.OK
+        assert b'id="id_otp_token"' in response.content
+
+    def test_admin_grants_access_with_valid_totp_token(self, client: Client):
+        user = UtilisateurFactory.create_model()
+        user.is_staff = True
+        user.is_superuser = True
+        user.save()
+
+        device = TOTPDevice.objects.create(user=user, confirmed=True)
+        token = totp(device.bin_key)
+
+        response = client.post(
+            "/admin/login/",
+            {
+                "username": user.email,
+                "password": DEFAULT_PASSWORD,
+                "otp_token": token,
+                "next": "/admin/",
+            },
+            follow=True,
+        )
+
+        assert response.status_code == HTTPStatus.OK
+        assert response.wsgi_request.user.is_verified()