[ADD] auth_totp_mail: 2FA using code sent by email

Add the possibility to force the two-factor authentication for all users,
using a two-factor authentication by email
when the 2FA using an Authenticator app is not configured for the user.

Two possibilities:
 - Force the 2FA only for employee users using the system parameter `auth_totp.policy=employee_required`
 - Force the 2FA for all users, employees and portals, using the system parameter `auth_totp.policy=all_required`

closes odoo#83750

Signed-off-by: Denis Ledoux (dle) <[email protected]>

Author: beledouxdenis

.tx/config

@@ -97,6 +97,11 @@ file_filter = addons/auth_totp_mail/i18n/<lang>.po
 source_file = addons/auth_totp_mail/i18n/auth_totp_mail.pot
 source_lang = en
 
+[odoo-master.auth_totp_mail_enforce]
+file_filter = addons/auth_totp_mail_enforce/i18n/<lang>.po
+source_file = addons/auth_totp_mail_enforce/i18n/auth_totp_mail_enforce.pot
+source_lang = en
+
 [odoo-master.auth_totp_portal]
 file_filter = addons/auth_totp_portal/i18n/<lang>.po
 source_file = addons/auth_totp_portal/i18n/auth_totp_portal.pot

addons/auth_totp/controllers/home.py

@@ -35,12 +35,12 @@ def web_totp(self, redirect=None, **kwargs):
                     request.session.finalize()
                     return request.redirect(self._login_redirect(request.session.uid, redirect=redirect))
 
-        elif user and request.httprequest.method == 'POST':
+        elif user and request.httprequest.method == 'POST' and kwargs.get('totp_token'):
             try:
                 with user._assert_can_auth():
                     user._totp_check(int(re.sub(r'\s', '', kwargs['totp_token'])))
-            except AccessDenied:
-                error = _("Verification failed, please double-check the 6-digit code")
+            except AccessDenied as e:
+                error = str(e)
             except ValueError:
                 error = _("Invalid authentication code format.")
             else:
@@ -66,6 +66,7 @@ def web_totp(self, redirect=None, **kwargs):
                 return response
 
         return request.render('auth_totp.auth_totp_form', {
+            'user': user,
             'error': error,
             'redirect': redirect,
         })

addons/auth_totp/i18n/auth_totp.pot

@@ -372,7 +372,7 @@ msgid "Verification Code"
 msgstr ""
 
 #. module: auth_totp
-#: code:addons/auth_totp/controllers/home.py:0
+#: code:addons/auth_totp/models/res_users.py:0
 #: code:addons/auth_totp/wizard/auth_totp_wizard.py:0
 #, python-format
 msgid "Verification failed, please double-check the 6-digit code"

addons/auth_totp/models/res_users.py

@@ -28,12 +28,18 @@ class Users(models.Model):
     def SELF_READABLE_FIELDS(self):
         return super().SELF_READABLE_FIELDS + ['totp_enabled', 'totp_trusted_device_ids']
 
+    def _mfa_type(self):
+        r = super()._mfa_type()
+        if r is not None:
+            return r
+        if self.totp_enabled:
+            return 'totp'
 
     def _mfa_url(self):
         r = super()._mfa_url()
         if r is not None:
             return r
-        if self.totp_enabled:
+        if self._mfa_type() == 'totp':
             return '/web/login/totp'
 
     @api.depends('totp_secret')
@@ -55,7 +61,7 @@ def _totp_check(self, code):
         match = TOTP(key).match(code)
         if match is None:
             _logger.info("2FA check: FAIL for %s %r", self, self.login)
-            raise AccessDenied()
+            raise AccessDenied(_("Verification failed, please double-check the 6-digit code"))
         _logger.info("2FA check: SUCCESS for %s %r", self, self.login)
 
     def _totp_try_setting(self, secret, code):

addons/auth_totp/models/totp.py

@@ -20,7 +20,7 @@ class TOTP:
     def __init__(self, key):
         self._key = key
 
-    def match(self, code, t=None, window=TIMESTEP):
+    def match(self, code, t=None, window=TIMESTEP, timestep=TIMESTEP):
         """
         :param code: authenticator code to check against this key
         :param int t: current timestamp (seconds)
@@ -32,8 +32,8 @@ def match(self, code, t=None, window=TIMESTEP):
         if t is None:
             t = time.time()
 
-        low = int((t - window) / TIMESTEP)
-        high = int((t + window) / TIMESTEP) + 1
+        low = int((t - window) / timestep)
+        high = int((t + window) / timestep) + 1
 
         return next((
             counter for counter in range(low, high)

addons/auth_totp_mail_enforce/__init__.py

@@ -0,0 +1,5 @@
+# -*- coding: utf-8 -*-
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+
+from . import controllers
+from . import models

addons/auth_totp_mail_enforce/__manifest__.py

@@ -0,0 +1,20 @@
+{
+    'name': '2FA by mail',
+    'description': """
+2FA by mail
+===============
+Two-Factor authentication by sending a code to the user email inbox
+when the 2FA using an authenticator app is not configured.
+To enforce users to use a two-factor authentication by default,
+and encourage users to configure their 2FA using an authenticator app.
+    """,
+    'depends': ['auth_totp', 'mail'],
+    'category': 'Extra Tools',
+    'data': [
+        'data/mail_template_data.xml',
+        'security/ir.model.access.csv',
+        'views/res_config_settings_views.xml',
+        'views/templates.xml',
+    ],
+    'license': 'LGPL-3',
+}

addons/auth_totp_mail_enforce/controllers/__init__.py

@@ -0,0 +1,4 @@
+# -*- coding: utf-8 -*-
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+
+from . import home

addons/auth_totp_mail_enforce/controllers/home.py

@@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+import odoo.addons.auth_totp.controllers.home
+
+from odoo import http
+from odoo.exceptions import AccessDenied, UserError
+from odoo.http import request
+
+
+class Home(odoo.addons.auth_totp.controllers.home.Home):
+    @http.route()
+    def web_totp(self, redirect=None, **kwargs):
+        response = super().web_totp(redirect=redirect, **kwargs)
+        if response.status_code != 200 or response.qcontext['user']._mfa_type() != 'totp_mail':
+            # In case the response from the super is a redirection
+            # or the user has another TOTP method, we return the response from the call to super.
+            return response
+        assert request.session.pre_uid and not request.session.uid, \
+            "The user must still be in the pre-authentication phase"
+
+        # Send the email containing the code to the user inbox
+        try:
+            response.qcontext['user']._send_totp_mail_code()
+        except (AccessDenied, UserError) as e:
+            response.qcontext['error'] = str(e)
+
+        return response

addons/auth_totp_mail_enforce/data/mail_template_data.xml

@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <data noupdate="1">
+        <record id="mail_template_totp_mail_code" model="mail.template">
+            <field name="name">TOTP for users: Authentication by email</field>
+            <field name="model_id" ref="base.model_res_users" />
+            <field name="subject">Your two-factor authentication code</field>
+            <field name="email_to">{{ object.email_formatted }}</field>
+            <field name="email_from">"{{ object.company_id.name }}" &lt;{{ (object.company_id.email or user.email) }}&gt;</field>
+            <field name="lang">{{ object.partner_id.lang }}</field>
+            <field name="auto_delete" eval="True"/>
+            <field name="body_html" type="html">
+<div style="margin: 0px; padding: 0px; font-size: 13px;">
+    Dear <t t-out="object.partner_id.name or ''"></t><br/><br/>
+    <p>Someone is trying to log in into your account with a new device.</p>
+    <ul>
+        <t t-set="not_available">N/A</t>
+        <li>Location: <t t-out="ctx.get('location') or not_available"/></li>
+        <li>Device: <t t-out="ctx.get('device') or not_available"/></li>
+        <li>Browser: <t t-out="ctx.get('browser') or not_available"/></li>
+        <li>IP address: <t t-out="ctx.get('ip') or not_available"/></li>
+    </ul>
+    <p>If this is you, please enter the following code to complete the login:</p>
+    <t t-set="code_expiration" t-value="object._get_totp_mail_code()"/>
+    <t t-set="code" t-value="code_expiration[0]"/>
+    <t t-set="expiration" t-value="code_expiration[1]"/>
+    <div style="margin: 16px 0px 16px 0px; text-align: center;">
+        <span t-out="code" style="background-color:#faf9fa; border: 1px solid #dad8de; padding: 8px 16px 8px 16px; font-size: 24px; color: #875A7B; border-radius: 5px;"/>
+    </div>
+    <small>Please note that this code expires in <t t-out="expiration"/>.</small>
+
+    <p style="margin: 16px 0px 16px 0px;">
+        If you did NOT initiate this log-in,
+        you should immediately change your password to ensure account security.
+    </p>
+
+    <p style="margin: 16px 0px 16px 0px;">
+        We also strongly recommend enabling the two-factor authentication using an authenticator app to help secure your account.
+    </p>
+
+    <p style="margin: 16px 0px 16px 0px; text-align: center;">
+        <a t-att-href="object.get_totp_invite_url()"
+            style="background-color:#875A7B; padding: 8px 16px 8px 16px; text-decoration: none; color: #fff; border-radius: 5px;">
+            Activate my two-factor authentication
+        </a>
+    </p>
+</div>
+            </field>
+        </record>
+    </data>
+</odoo>