stages/authenticator_email: Email OTP (#12630)

* stages/authenticator_email: Add basic structure for stages/authenticator_email

* stages/authenticator_email: Add stages/authenticator_email django app to settings.py

* stages/authenticator_email: Fix imports due changes introduced in #12598

* stages/authenticator_email: fix linting

* stages/authenticator_email: Add tests for token verification

* Add UI structure for authenticator_email

* Add autheticator_email to AuthenticatorValidateStageForm.ts and create AuthenticatorEmailStageForm.ts

* Add serializer property to emaildevice

* Add DeviceClasses.EMAIL to DeviceClasses

* Add migration file for DeviceClasses change (added email)

* Add new schema.yml and blueprints/schema.json to refelct email authenticator

* Fix UI to show the Email Authenticator

* Add support for email templates for the email authenticator

* Add templates

* Add DeviceClasses.EMAIL option to authenticator_validate/stage.py

* Fix logic for sending emails in stage.py and use the proper class AuthenticatorEmailStage in tasks.py

* Fix token expiration display in the email templates

* Fix authenticator email stage set up

* Add template and email to api response for Authenticator Email stage

* Fix  Authenticator Email stage set up form

* Use different flow if the user has an email configured or not for Authenticator Email stage UI

* Use the correct field for the token in AuthenticatorEmailStage.ts

* Fix linting and code style

* Use the correct assertions in tests

* Fix mask email helper

* Add missing cases for Email Authenticator in the UI

* Fix email sending, add _compose_email() method to EmailDevice

* Fix cosmetic changes

* Add support for email device challenge validation in validate_selected_challenge

* Fix tests

* Add from_address to email template

* Refactor tests

* Update API Schema

* Refactor AuthenticatorEmailStage UI for cleaner code

* Fix saving token_expiry in the stage configuration

* Remove debug statements

* Add email connection settings to the Email authenticator stage configuration UI

* Remove unused field activate_on_success from AuthenticatorEmailStage

* Add tests for duplicate email, token expiration and template error

* cosmetic/styling changes

* Use authentik's GroupMemberSerializer and ManagedAppConfig in api and apps for email authenticathor

* stages/authenticator_email: Fix typos, styling and unused fields

* stages/authenticator_email: remove unused field responseStatus

* stages/authenticator_email: regen migrations

* Fix linting issues

* Fix app label issue, typos, missing user field

* Add a trailing space in email_otp.txt RFC 3676 sec. 4.3

Co-authored-by: Marc 'risson' Schmitt <[email protected]>
Signed-off-by: Marcelo Elizeche Landó <[email protected]>

* Move mask_email method to a helper function in authentik.lib.utils.email

* Remove unused function

* Use authentik.stages.email.tasks instead of authentik.stages.authenticator_email.tasks, delete authentik.stages.authenticator_email.tasks

* Fix use global settings not using the global setting if there's a default

* Revert "Fix use global settings not using the global setting if there's a default"

This reverts commit 3825248.

* Use user email from user attributes if exists

* Show masked email in AuthenticatorValidateStageCode

* Remove unused base.html template

* Fix linting issues

* Change token_expiry from integer to TextField, use timedelta_string_validator where necessary to process the change

* Move 'use global connection settings' up in the Email Authenticator Stage Configuration

* Show expanded connections settings when 'use global settings' is not activated for better UX

* Fix migration file, add missing validator

* Fix test for no prefilled email address

* Add tests to check session management, challenge generation and challenge response validation

* fix linting

* Add default value EmailStage for stage_class in stage.email.tasks.send_mail

* Change string representation for EmailDevice to handle authentik/events/tests/test_models.py::TestModels, add tests for the new __str__ method

* Add #nosec to skip false positive in linting validation

Signed-off-by: Marcelo Elizeche Landó <[email protected]>

* Change Email Authenticator Setup Stage name for consistency with other authenticators

* Add tests to test properties and methods of EmailDevice and AuthenticatorEmailStage, add test for email tasks

* Add tests for email challenge in authenticator_validate

* Update migration to reflect new verbose name for AuthenticatorEmailStage

* Update schema.yml to reflect new verbose name for AuthenticatorEmailStage

* Add default email subject in Email Authenticator Setup Stage configuration

* Remove from_address from email template to ensure global settings use if use global settings is on

* Add flow-default-authenticator-email-setup.yaml blueprint

* Move email authenticator blueprint to the examples folder

* Update authentik/stages/authenticator_email/models.py

Signed-off-by: Jens L. <[email protected]>

* Change self.user_pk to self.user_id because user_pk doesn't exists here

* Remove unused logger import

* Remove more unused logger import

* Add error handling to authentik.lib.utils.email.mask_email

* fix linting

* don't catch Exception

Signed-off-by: Jens Langhammer <[email protected]>

* update icons

Signed-off-by: Jens Langhammer <[email protected]>

---------

Signed-off-by: Marcelo Elizeche Landó <[email protected]>
Signed-off-by: Jens L. <[email protected]>
Signed-off-by: Jens Langhammer <[email protected]>
Co-authored-by: Marc 'risson' Schmitt <[email protected]>
Co-authored-by: Jens L. <[email protected]>
Co-authored-by: Jens Langhammer <[email protected]>

Author: 3 people

authentik/lib/utils/email.py

@@ -0,0 +1,54 @@
+"""Email utility functions"""
+
+
+def mask_email(email: str | None) -> str | None:
+    """Mask email address for privacy
+
+    Args:
+        email: Email address to mask
+    Returns:
+        Masked email address or None if input is None
+    Example:
+        mask_email("[email protected]")
+        'm*****@c******.org'
+    """
+    if not email:
+        return None
+
+    # Basic email format validation
+    if email.count("@") != 1:
+        raise ValueError("Invalid email format: Must contain exactly one '@' symbol")
+
+    local, domain = email.split("@")
+    if not local or not domain:
+        raise ValueError("Invalid email format: Local and domain parts cannot be empty")
+
+    domain_parts = domain.split(".")
+    if len(domain_parts) < 2:  # noqa: PLR2004
+        raise ValueError("Invalid email format: Domain must contain at least one dot")
+
+    limit = 2
+
+    # Mask local part (keep first char)
+    if len(local) <= limit:
+        masked_local = "*" * len(local)
+    else:
+        masked_local = local[0] + "*" * (len(local) - 1)
+
+    # Mask each domain part except the last one (TLD)
+    masked_domain_parts = []
+    for _i, part in enumerate(domain_parts[:-1]):  # Process all parts except TLD
+        if not part:  # Check for empty parts (consecutive dots)
+            raise ValueError("Invalid email format: Domain parts cannot be empty")
+        if len(part) <= limit:
+            masked_part = "*" * len(part)
+        else:
+            masked_part = part[0] + "*" * (len(part) - 1)
+        masked_domain_parts.append(masked_part)
+
+    # Add TLD unchanged
+    if not domain_parts[-1]:  # Check if TLD is empty
+        raise ValueError("Invalid email format: TLD cannot be empty")
+    masked_domain_parts.append(domain_parts[-1])
+
+    return f"{masked_local}@{'.'.join(masked_domain_parts)}"

authentik/root/settings.py

@@ -100,6 +100,7 @@
     "authentik.sources.scim",
     "authentik.stages.authenticator",
     "authentik.stages.authenticator_duo",
+    "authentik.stages.authenticator_email",
     "authentik.stages.authenticator_sms",
     "authentik.stages.authenticator_static",
     "authentik.stages.authenticator_totp",

authentik/stages/authenticator_email/__init__.py

@@ -0,0 +1,85 @@
+"""AuthenticatorEmailStage API Views"""
+
+from rest_framework import mixins
+from rest_framework.viewsets import GenericViewSet, ModelViewSet
+
+from authentik.core.api.groups import GroupMemberSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
+from authentik.flows.api.stages import StageSerializer
+from authentik.stages.authenticator_email.models import AuthenticatorEmailStage, EmailDevice
+
+
+class AuthenticatorEmailStageSerializer(StageSerializer):
+    """AuthenticatorEmailStage Serializer"""
+
+    class Meta:
+        model = AuthenticatorEmailStage
+        fields = StageSerializer.Meta.fields + [
+            "configure_flow",
+            "friendly_name",
+            "use_global_settings",
+            "host",
+            "port",
+            "username",
+            "password",
+            "use_tls",
+            "use_ssl",
+            "timeout",
+            "from_address",
+            "subject",
+            "token_expiry",
+            "template",
+        ]
+
+
+class AuthenticatorEmailStageViewSet(UsedByMixin, ModelViewSet):
+    """AuthenticatorEmailStage Viewset"""
+
+    queryset = AuthenticatorEmailStage.objects.all()
+    serializer_class = AuthenticatorEmailStageSerializer
+    filterset_fields = "__all__"
+    ordering = ["name"]
+    search_fields = ["name"]
+
+
+class EmailDeviceSerializer(ModelSerializer):
+    """Serializer for email authenticator devices"""
+
+    user = GroupMemberSerializer(read_only=True)
+
+    class Meta:
+        model = EmailDevice
+        fields = ["name", "pk", "email", "user"]
+        depth = 2
+        extra_kwargs = {
+            "email": {"read_only": True},
+        }
+
+
+class EmailDeviceViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.UpdateModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """Viewset for email authenticator devices"""
+
+    queryset = EmailDevice.objects.all()
+    serializer_class = EmailDeviceSerializer
+    search_fields = ["name"]
+    filterset_fields = ["name"]
+    ordering = ["name"]
+    owner_field = "user"
+
+
+class EmailAdminDeviceViewSet(ModelViewSet):
+    """Viewset for email authenticator devices (for admins)"""
+
+    queryset = EmailDevice.objects.all()
+    serializer_class = EmailDeviceSerializer
+    search_fields = ["name"]
+    filterset_fields = ["name"]
+    ordering = ["name"]

authentik/stages/authenticator_email/api.py

@@ -0,0 +1,12 @@
+"""Email Authenticator"""
+
+from authentik.blueprints.apps import ManagedAppConfig
+
+
+class AuthentikStageAuthenticatorEmailConfig(ManagedAppConfig):
+    """Email Authenticator App config"""
+
+    name = "authentik.stages.authenticator_email"
+    label = "authentik_stages_authenticator_email"
+    verbose_name = "authentik Stages.Authenticator.Email"
+    default = True

authentik/stages/authenticator_email/apps.py

@@ -0,0 +1,132 @@
+# Generated by Django 5.0.10 on 2025-01-27 20:05
+
+import django.db.models.deletion
+import django.utils.timezone
+from django.conf import settings
+from django.db import migrations, models
+
+import authentik.lib.utils.time
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_flows", "0027_auto_20231028_1424"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AuthenticatorEmailStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_flows.stage",
+                    ),
+                ),
+                ("friendly_name", models.TextField(null=True)),
+                (
+                    "use_global_settings",
+                    models.BooleanField(
+                        default=False,
+                        help_text="When enabled, global Email connection settings will be used and connection settings below will be ignored.",
+                    ),
+                ),
+                ("host", models.TextField(default="localhost")),
+                ("port", models.IntegerField(default=25)),
+                ("username", models.TextField(blank=True, default="")),
+                ("password", models.TextField(blank=True, default="")),
+                ("use_tls", models.BooleanField(default=False)),
+                ("use_ssl", models.BooleanField(default=False)),
+                ("timeout", models.IntegerField(default=10)),
+                (
+                    "from_address",
+                    models.EmailField(default="[email protected]", max_length=254),
+                ),
+                (
+                    "token_expiry",
+                    models.TextField(
+                        default="minutes=30",
+                        help_text="Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).",
+                        validators=[authentik.lib.utils.time.timedelta_string_validator],
+                    ),
+                ),
+                ("subject", models.TextField(default="authentik Sign-in code")),
+                ("template", models.TextField(default="email/email_otp.html")),
+                (
+                    "configure_flow",
+                    models.ForeignKey(
+                        blank=True,
+                        help_text="Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage.",
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        to="authentik_flows.flow",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Email Authenticator Setup Stage",
+                "verbose_name_plural": "Email Authenticator Setup Stages",
+            },
+            bases=("authentik_flows.stage", models.Model),
+        ),
+        migrations.CreateModel(
+            name="EmailDevice",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                (
+                    "name",
+                    models.CharField(
+                        help_text="The human-readable name of this device.", max_length=64
+                    ),
+                ),
+                (
+                    "confirmed",
+                    models.BooleanField(default=True, help_text="Is this device ready for use?"),
+                ),
+                ("token", models.CharField(blank=True, max_length=16, null=True)),
+                (
+                    "valid_until",
+                    models.DateTimeField(
+                        default=django.utils.timezone.now,
+                        help_text="The timestamp of the moment of expiry of the saved token.",
+                    ),
+                ),
+                ("email", models.EmailField(max_length=254)),
+                ("last_used", models.DateTimeField(auto_now=True)),
+                (
+                    "stage",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_stages_authenticator_email.authenticatoremailstage",
+                    ),
+                ),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Email Device",
+                "verbose_name_plural": "Email Devices",
+                "unique_together": {("user", "email")},
+            },
+        ),
+    ]