refactor: extract 2FA middleware to standalone require2fa Django app

heysamtexas · claude · heysamtexas · commit ba1874028d88 · 2025-08-21T08:11:17.000+02:00
## Major Changes ### New require2fa App - Extract 2FA middleware from myapp to dedicated require2fa app - Maintain all existing security features and comprehensive test coverage - Use django-solo pattern for runtime configuration via admin interface ### Security Improvements - Remove admin login exemption from 2FA requirements - Admin access now properly requires 2FA verification - Preserve all existing vulnerability protections (Issue #173 patterns) ### Migration Strategy - Data migration copies required_2fa setting to TwoFactorConfig model - Clean removal of old required_2fa field from SiteConfiguration - Zero downtime migration path with backward compatibility ### Configuration - Add require2fa to INSTALLED_APPS - Update middleware path: myapp.middleware → require2fa.middleware - TwoFactorConfig model replaces SiteConfiguration.required_2fa ### Testing - Move comprehensive test suite (15 security tests) - All tests passing: require2fa (15), myapp (3), organizations (40) - Test coverage includes malformed URLs, configuration edge cases, and regression tests ### Files Changed - NEW: require2fa/ Django app with models, middleware, admin, tests - MODIFIED: config/settings.py - add app and update middleware path - REMOVED: myapp/middleware.py, myapp/tests/test_2fa_middleware.py - MODIFIED: myapp/models/__init__.py - remove required_2fa field ### Ready for Package Extraction The require2fa app is now self-contained and ready to be extracted to a separate repository for use across multiple Django projects. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/config/settings.py b/src/config/settings.py
@@ -46,6 +46,7 @@
     "django_bootstrap5",
     "organizations",
     "myapp",
+    "require2fa",
     "allauth",
     "allauth.account",
     "allauth.mfa",
@@ -69,7 +70,7 @@
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "allauth.account.middleware.AccountMiddleware",
-    "myapp.middleware.Require2FAMiddleware",
+    "require2fa.middleware.Require2FAMiddleware",
 ]
 
 ROOT_URLCONF = "config.urls"
diff --git a/src/myapp/migrations/0009_remove_required_2fa_field.py b/src/myapp/migrations/0009_remove_required_2fa_field.py
@@ -0,0 +1,17 @@
+# Generated by Django 5.2.4 on 2025-08-20 21:44
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('myapp', '0008_siteconfiguration_include_staff_in_analytics_and_more'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='siteconfiguration',
+            name='required_2fa',
+        ),
+    ]
diff --git a/src/myapp/models/__init__.py b/src/myapp/models/__init__.py
@@ -15,8 +15,6 @@ class SiteConfiguration(solo.models.SingletonModel):
     worker_enabled = models.BooleanField(default=False)
     worker_sleep_seconds = models.IntegerField(default=FIVE_SECONDS)
 
-    required_2fa = models.BooleanField(default=False, help_text="Require 2FA for all users.")
-
     include_staff_in_analytics = models.BooleanField(
         default=False,
         help_text="Include staff in analytics.",
diff --git a/src/require2fa/__init__.py b/src/require2fa/__init__.py
@@ -0,0 +1 @@
+"""Two-Factor Authentication enforcement Django app."""
diff --git a/src/require2fa/admin.py b/src/require2fa/admin.py
@@ -0,0 +1,25 @@
+"""Admin interface for Two-Factor Authentication configuration."""
+
+from django.contrib import admin
+from solo.admin import SingletonModelAdmin
+
+from .models import TwoFactorConfig
+
+
+@admin.register(TwoFactorConfig)
+class TwoFactorConfigAdmin(SingletonModelAdmin):
+    """Admin interface for TwoFactorConfig."""
+
+    fieldsets = (
+        (
+            "Two-Factor Authentication Settings",
+            {
+                "fields": ("required",),
+                "description": "Configure site-wide 2FA enforcement policies.",
+            },
+        ),
+    )
+
+    def has_delete_permission(self, request, obj=None) -> bool:  # noqa: ANN001, ARG002
+        """Prevent deletion of the singleton configuration."""
+        return False
diff --git a/src/require2fa/apps.py b/src/require2fa/apps.py
@@ -0,0 +1,8 @@
+from django.apps import AppConfig
+
+
+class Require2FaConfig(AppConfig):
+    """Django app configuration for require2fa."""
+
+    default_auto_field = "django.db.models.BigAutoField"
+    name = "require2fa"
diff --git a/src/require2fa/middleware.py b/src/require2fa/middleware.py
@@ -22,7 +22,7 @@
 from django.urls import Resolver404, resolve
 from django.utils.decorators import sync_and_async_middleware
 
-from myapp.models import SiteConfiguration
+from .models import TwoFactorConfig
 
 # Set up security logging
 security_logger = logging.getLogger("security.2fa")
@@ -56,7 +56,6 @@ def __init__(self, get_response) -> None:  # noqa: ANN001, D107
             "mfa_generate_recovery_codes",  # Generate recovery codes
             "mfa_view_recovery_codes",  # View recovery codes
             "mfa_download_recovery_codes",  # Download recovery codes
-            "admin:login",
         }
 
     def _is_static_request(self, request: HttpRequest) -> bool:
@@ -127,8 +126,8 @@ def _should_enforce_2fa(self, request: HttpRequest) -> bool:
             return False
 
         # Check if 2FA is required by site configuration
-        site_config = SiteConfiguration.objects.get()
-        if not site_config.required_2fa:
+        config = TwoFactorConfig.objects.get()
+        if not config.required:
             return False
 
         # Check if user has 2FA
@@ -149,8 +148,8 @@ async def _should_enforce_2fa_async(self, request: HttpRequest) -> bool:
             return False
 
         # Check if 2FA is required by site configuration
-        site_config = await sync_to_async(SiteConfiguration.objects.get)()
-        if not site_config.required_2fa:
+        config = await sync_to_async(TwoFactorConfig.objects.get)()
+        if not config.required:
             return False
 
         # Check if user has 2FA
diff --git a/src/require2fa/migrations/0001_initial.py b/src/require2fa/migrations/0001_initial.py
@@ -0,0 +1,24 @@
+# Generated by Django 5.2.4 on 2025-08-20 21:42
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='TwoFactorConfig',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('required', models.BooleanField(default=False, help_text='Require 2FA for all authenticated users.', verbose_name='Require Two-Factor Authentication')),
+            ],
+            options={
+                'verbose_name': 'Two-Factor Authentication Configuration',
+            },
+        ),
+    ]
diff --git a/src/require2fa/migrations/0002_copy_2fa_setting.py b/src/require2fa/migrations/0002_copy_2fa_setting.py
@@ -0,0 +1,61 @@
+# Generated by Django 5.2.4 on 2025-08-20 21:43
+
+from django.db import migrations
+
+
+def copy_2fa_setting_forward(apps, schema_editor):
+    """Copy required_2fa setting from SiteConfiguration to TwoFactorConfig."""
+    # Get model classes for this migration point
+    SiteConfiguration = apps.get_model('myapp', 'SiteConfiguration')
+    TwoFactorConfig = apps.get_model('require2fa', 'TwoFactorConfig')
+
+    # Get the current site configuration (if it exists)
+    try:
+        site_config = SiteConfiguration.objects.get()
+        required_2fa = getattr(site_config, 'required_2fa', False)
+    except SiteConfiguration.DoesNotExist:
+        # No site configuration exists, default to False
+        required_2fa = False
+
+    # Create or update the TwoFactorConfig with the copied value
+    TwoFactorConfig.objects.get_or_create(
+        defaults={'required': required_2fa}
+    )
+
+
+def copy_2fa_setting_reverse(apps, schema_editor):
+    """Reverse migration - copy back from TwoFactorConfig to SiteConfiguration."""
+    # Get model classes for this migration point
+    SiteConfiguration = apps.get_model('myapp', 'SiteConfiguration')
+    TwoFactorConfig = apps.get_model('require2fa', 'TwoFactorConfig')
+
+    # Get the TwoFactorConfig value
+    try:
+        config = TwoFactorConfig.objects.get()
+        required_2fa = config.required
+    except TwoFactorConfig.DoesNotExist:
+        required_2fa = False
+
+    # Update SiteConfiguration if it exists
+    try:
+        site_config = SiteConfiguration.objects.get()
+        site_config.required_2fa = required_2fa
+        site_config.save()
+    except SiteConfiguration.DoesNotExist:
+        # If no SiteConfiguration exists, we can't copy back
+        pass
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('require2fa', '0001_initial'),
+        ('myapp', '0008_siteconfiguration_include_staff_in_analytics_and_more'),  # Latest myapp migration
+    ]
+
+    operations = [
+        migrations.RunPython(
+            copy_2fa_setting_forward,
+            copy_2fa_setting_reverse
+        ),
+    ]
diff --git a/src/require2fa/migrations/__init__.py b/src/require2fa/migrations/__init__.py
diff --git a/src/require2fa/models.py b/src/require2fa/models.py
@@ -0,0 +1,23 @@
+"""Two-Factor Authentication configuration models."""
+
+import solo.models
+from django.db import models
+
+
+class TwoFactorConfig(solo.models.SingletonModel):
+    """Configuration for Two-Factor Authentication enforcement."""
+
+    required = models.BooleanField(
+        default=False,
+        help_text="Require 2FA for all authenticated users.",
+        verbose_name="Require Two-Factor Authentication",
+    )
+
+    class Meta:
+        """Model metadata for TwoFactorConfig."""
+
+        verbose_name = "Two-Factor Authentication Configuration"
+
+    def __str__(self) -> str:
+        """Return a string representation of the configuration."""
+        return f"2FA Required: {'Yes' if self.required else 'No'}"
diff --git a/src/require2fa/tests/__init__.py b/src/require2fa/tests/__init__.py
@@ -0,0 +1 @@
+"""Tests for require2fa app."""
diff --git a/src/require2fa/tests/test_middleware.py b/src/require2fa/tests/test_middleware.py
@@ -5,7 +5,7 @@
 from django.test import TestCase, Client, override_settings
 from django.urls import reverse
 
-from myapp.models import SiteConfiguration
+from require2fa.models import TwoFactorConfig
 
 User = get_user_model()
 
@@ -20,8 +20,11 @@ def setUp(self):
         # Create test user
         self.user = User.objects.create_user(username="testuser", email="test@example.com", password="testpass123")
 
-        # Enable 2FA site-wide
-        self.site_config = SiteConfiguration.objects.create(required_2fa=True)
+        # Enable 2FA site-wide (get_or_create for singleton)
+        self.config, created = TwoFactorConfig.objects.get_or_create(defaults={'required': True})
+        if not created:
+            self.config.required = True
+            self.config.save()
 
     def test_unauthenticated_users_access_everything(self):
         """Unauthenticated users should not be affected by 2FA middleware."""
@@ -42,9 +45,10 @@ def test_authenticated_user_without_2fa_redirected_to_setup(self):
         """Users without 2FA should be redirected to setup for protected URLs."""
         self.client.force_login(self.user)
 
-        # These URLs should trigger 2FA redirect (admin has its own login)
+        # These URLs should trigger 2FA redirect
         protected_paths = [
             "/",
+            "/admin/",  # Admin now requires 2FA too
         ]
 
         for path in protected_paths:
@@ -93,8 +97,8 @@ def test_static_files_always_accessible(self):
     def test_2fa_disabled_site_wide_allows_everything(self):
         """When 2FA is disabled, middleware should not interfere."""
         # Disable 2FA site-wide
-        self.site_config.required_2fa = False
-        self.site_config.save()
+        self.config.required = False
+        self.config.save()
 
         self.client.force_login(self.user)
 
@@ -186,7 +190,10 @@ def setUp(self):
         """Set up test with 2FA enabled."""
         self.client = Client()
         self.user = User.objects.create_user(username="testuser", email="test@example.com", password="testpass123")
-        SiteConfiguration.objects.create(required_2fa=True)
+        config, created = TwoFactorConfig.objects.get_or_create(defaults={'required': True})
+        if not created:
+            config.required = True
+            config.save()
 
     def test_accounts_namespace_no_longer_bypassed(self):
         """The original /accounts/* bypass vulnerability should be fixed."""
@@ -233,7 +240,10 @@ def setUp(self):
         """Set up test environment."""
         self.client = Client()
         self.user = User.objects.create_user(username="testuser", email="test@example.com", password="testpass123")
-        SiteConfiguration.objects.create(required_2fa=True)
+        config, created = TwoFactorConfig.objects.get_or_create(defaults={'required': True})
+        if not created:
+            config.required = True
+            config.save()
 
     @override_settings(MEDIA_URL="/", STATIC_URL="/static/")
     def test_dangerous_media_url_root_path_blocked(self):
@@ -281,7 +291,7 @@ def test_proper_configuration_allows_static_files(self):
 
     def test_missing_media_url_edge_case(self):
         """Test middleware behavior when getattr is used with safe defaults."""
-        from myapp.middleware import Require2FAMiddleware
+        from require2fa.middleware import Require2FAMiddleware
         from django.test import RequestFactory
         from django.conf import settings
 
diff --git a/src/require2fa/views.py b/src/require2fa/views.py
@@ -0,0 +1 @@
+# Create your views here.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+"""Two-Factor Authentication enforcement Django app."""`