Add TOTP for Admin login
This commit is contained in:
Ettore
18
README.md
18
README.md
@@ -9,6 +9,7 @@ A web-based gate access management and control system. Authorized users can remo
|
||||
- **Keypass authentication** — users authenticate with an access code; each keypass can have a per-gate allowlist and an optional expiration date
|
||||
- **Remote gate control** — integrates with [AVConnect](https://www.avconnect.it) to trigger gate macros
|
||||
- **Role-based admin panel** — two roles (`admin`, `manager`) with different permission levels
|
||||
- **Two-factor authentication (TOTP)** — admins can enable app-based 2FA (Google Authenticator, Authy, etc.) on their account
|
||||
- **Access audit log** — every open attempt is logged with timestamp, keypass, gate, IP, and result; filterable and paginated
|
||||
- **Keypass QR codes** — generate a scannable QR code for each keypass; scanning opens the PWA and logs in automatically
|
||||
- **Keypass code options** — choose character set (alphanumeric, alpha, numeric, or a 4-word passphrase) and length when auto-generating codes
|
||||
@@ -23,6 +24,7 @@ A web-based gate access management and control system. Authorized users can remo
|
||||
| ORM | SQLAlchemy |
|
||||
| Database | SQLite |
|
||||
| Auth | JWT (HS256) + bcrypt |
|
||||
| 2FA | TOTP (RFC 6238) via pyotp |
|
||||
| Credential storage | Fernet symmetric encryption |
|
||||
| Gate integration | AVConnect HTTP API |
|
||||
| Notifications | Telegram Bot API |
|
||||
@@ -101,6 +103,9 @@ data/
|
||||
| POST | `/api/admin/admins` | Create an admin user |
|
||||
| DELETE | `/api/admin/admins/{username}` | Delete an admin user |
|
||||
| PATCH | `/api/admin/admins/{username}/password` | Change password |
|
||||
| POST | `/api/admin/admins/{username}/totp/setup` | Generate a new TOTP secret and return provisioning URI + QR |
|
||||
| POST | `/api/admin/admins/{username}/totp/enable` | Verify a TOTP code and activate 2FA |
|
||||
| DELETE | `/api/admin/admins/{username}/totp` | Disable 2FA and discard the secret |
|
||||
|
||||
### Admin — AVConnect Credentials (admin only)
|
||||
|
||||
@@ -232,6 +237,19 @@ Configure a Telegram bot to receive a message in a group or chat every time a ga
|
||||
|
||||
Notifications are sent in a background thread and never block the gate open response. Failures are logged as warnings and do not affect gate operation.
|
||||
|
||||
## Two-Factor Authentication (TOTP)
|
||||
|
||||
Each admin account can independently enable TOTP-based two-factor authentication:
|
||||
|
||||
1. Open **Admin → Admin Users** and click **Enable 2FA** on your own row
|
||||
2. Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password, etc.)
|
||||
3. Enter the 6-digit code to confirm — 2FA is only activated after a successful verification
|
||||
4. On subsequent logins, after entering your password you will be prompted for the current TOTP code
|
||||
|
||||
To disable, click **Disable 2FA** on your row and confirm.
|
||||
|
||||
> Only the account owner can enable or disable their own 2FA. TOTP secrets are stored Fernet-encrypted in the database.
|
||||
|
||||
## Roles
|
||||
|
||||
| Role | Permissions |
|
||||
|
||||
Reference in New Issue
Block a user