Extension Two-factor authentication (2FA)

Extension Basics

Title	Two-factor authentication (2FA)
Name	ckanext-auth
Type	Public extension
Description	Provides 2FA authentication mechanism with TOTP authenticator apps or email verification
CKAN versions	~2.9 Show details These CKAN Versions are exactely matched: 2.10.0 2.10.1 2.10.2 2.10.3 2.10.4 2.10.5 2.10.6 2.10.7 2.10.8 2.11.0 2.11.1 2.11.2 2.11.3 2.12.0 2.9.0 2.9.1 2.9.10 2.9.11 2.9.2 2.9.3 2.9.4 2.9.5 2.9.6 2.9.7 2.9.8 2.9.9
Download-Url (zip)	https://github.com/DataShades/ckanext-auth.git#egg=ckanext-auth
Download-Url commit date	2024-01-01
Url to repo	https://github.com/DataShades/ckanext-auth
Category	Authentication & Security

Background Infos

Description (long)	Show details This extension provides two-factor authentication (2FA) for CKAN, partially based on ckanext-security. Features include: two authentication methods (TOTP with authenticator apps like Google Authenticator/Authy, email-based verification codes), configurable 2FA method selection, email verification code with TTL (default 10 minutes), login timeout after failed attempts (default 15 minutes after 10 failed attempts), Redis-based session management, database migrations for user 2FA settings, customizable email templates (auth/emails/verification_code.html), integration with ckanext-admin-panel for configuration UI. Requires Redis to be configured for CKAN. Compatible with CKAN 2.10+. Python 3.8-3.10 compatible. Beta development status. AGPL licensed.
Version	0.3.4
Version release date	2024-01-01
Contact name	DataShades
Contakt email	datashades@linkdigital.com.au
Contact Url	(not set)

Installation Guide

Configuration hints	Install via pip: pip install -e git+https://github.com/DataShades/ckanext-auth.git#egg=ckanext-auth pip install -r requirements.txt Enable the plugin: ckan.plugins = auth Apply database migrations: ckan db pending-migrations –apply Required: Redis must be configured for CKAN. Configuration options: Enable two-factor authentication (default: true) ckanext.auth.2fa_enabled = true 2FA method: email or authenticator (default: email) ckanext.auth.2fa_method = email TTL for email verification code in seconds (default: 600 = 10 minutes) ckanext.auth.2fa_email_interval = 600 Login timeout in seconds after max failed attempts (default: 900 = 15 minutes) ckanext.auth.2fa_login_timeout = 900 Maximum failed login attempts before timeout (default: 10) ckanext.auth.2fa_login_max_attempts = 10 2FA Methods: Email method: User receives verification code via email Code valid for configured interval (default 10 min) Customize email template: auth/emails/verification_code.html Authenticator method (TOTP): Use apps like Google Authenticator, Authy, etc. Time-based one-time password More secure than email method Brute force protection: - Tracks failed login attempts - Triggers timeout after max attempts reached - Default: 10 failed attempts = 15 minute lockout - Configurable via settings above Admin Panel Integration: If ckanext-admin-panel is installed, 2FA settings will be available in the admin panel UI for easy configuration. Customization: - Create custom email template at auth/emails/verification_code.html - Template receives verification code variable Requirements: - CKAN >= 2.10 - Redis configured and running - Database migrations applied
Plugins to configure (ckan.ini)	auth
CKAN Settings (ckan.ini)	(not set)
DB migration to be executed	auth

<< back to Extensions