Fec-cms: [ATO] Add 2FA/MFA support to CMS admin

Any further word on this? Seems like it could be a decent sized lift.

No follow-up to this yet, but I can ask in the meeting we're going to have this afternoon about the API databases. This is meant more for an FYI at the moment, but something we should keep on our radar just in case!

Here are the docs for leveraging cloud.gov 2fa https://cloud.gov/docs/apps/leveraging-authentication/

In addition to the cloud.gov documentation, there is also this Django package built specifically for this use-case: http://cg-django-uaa.readthedocs.io/en/latest/ Please feel free to reach out to @toolness for more help!

~For an example implementation, check out Tock's setup with it.~

Disregard Tock's setup, it's not cg-django-uaa. Please refer to @toolness' comment instead!

Oh I'm not sure if Tock actually uses cg-django-uaa--I believe they wanted to use UAA at first, but they eventually decided to make cloud.gov deal with auth by blocking all requests to tock.18f.gov behind auth. It's nice for tock because the site doesn't have any parts that are visible to the general public, but it's not as useful for sites like calc.gsa.gov that are mostly visible to the public but which we want some admin functionality on too.

Let me know if you want me to help with this--CALC is currently on "low power" mode so I've got some free time.

Per slack discussion. As a follow up, when this gets implemented need to ensure FEC is made aware each admin (eventually each CMS user) will need a cloud.gov account. 2 ways to do so here.

Thanks a ton, @toolness! I didn't realize that about Tock's implementation until after you pointed it out; I should've known CALC would be a better example. :-)

I've been working on getting this going. @toolness When I login with the fakeserver, I get redirected back to our app at this url: http://localhost:8000/accounts/profile/. Is this to be expected? Is there some configuration to prevent this?

EDIT: disregard, got this working with the fake server! Picked the wrong week to start learning Django.

Oh glad you eventually got it working--I'm curious what you ran into, though? Perhaps it's something I can make easier by improving the docs for cg-django-uaa?

I think the issue was how django logs in a user, and specifically how wagtail (our cms solution) uses that process. At first, it seemed that djanjo was successfully logging me in but was directing me to the accounts\profile endpoint, as would be expected for a regular django app (I think). The trick was a parameter in the settings.py to override this behavior. With that being said, to maybe make the documentation better perhaps say that if the app you are using is an abstraction on top of django then there may be more steps involved to specifically configure your web-app.

But that's really not a fault of the fake-server so I'd say the documentation was clear to me.

Django provides quite a bit of flexibility for how one manages authentication with their application, but in this particular case it might be worth diving into how web requests are authenticated. One way of accomplishing this is with the login_required decorator, which you use in conjunction with any view that requires a user be authenticated. This takes care of redirecting the user to a login screen and back to what they were trying to get to upon successful login, but you can customize it as well.

It sounds like this is working as expected here now, but I figured I'd throw this out there to help and shed a bit more light!

Resolved by #889