Skip to content

feat(mfa): replace trench based API endpoints, views and forms with allauth implementation DEV-749 #6402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 42 commits into from
Nov 14, 2025
Merged

feat(mfa): replace trench based API endpoints, views and forms with allauth implementation DEV-749 #6402

merged 42 commits into from
Nov 14, 2025

Conversation

@Guitlle
Copy link
Contributor

@Guitlle Guitlle commented Oct 22, 2025
edited by noliveleger
Loading

🗒️ Checklist

  1. run linter locally
  2. update developer docs (API, README, inline, etc.), if any
  3. for user-facing doc changes create a Zulip thread at #Support Docs Updates, if any
  4. draft PR with a title <type>(<scope>)<!>: <title> DEV-1234
  5. assign yourself, tag PR: at least Front end and/or Back end or workflow
  6. fill in the template below and delete template comments
  7. review thyself: read the diff and repro the preview as written
  8. open PR & confirm that CI passes & request reviewers, if needed
  9. delete this section before merging

Summary

Migrate MFA features from Trench to Django Allauth for better integration, maintainability.

Description

This update replaces all Trench-based multi-factor authentication (MFA) endpoints, views, and forms with a new implementation powered by Django Allauth. The change ensures tighter integration with the existing authentication system, simplifies configuration, and improves long-term maintainability.

💭 Notes

The MFA endpoints were changed to use the allauth MFA feature and removing trench. This covers these endpoints that are used in the frontend:

  • /api/v2/auth/str:method/activate/
  • /api/v2/auth/str:method/activate/confirm/
  • /api/v2/auth/str:method/codes/regenerate/
  • /api/v2/auth/str:method/deactivate/
  • /api/v2/auth/mfa/user-active-methods/

These are now based on the Authenticator model, which can handle TOTP codes and recovery codes.

👀 Preview steps

These endpoints are covered in unit tests, so no need to test. However we could test the following sequence to validate it's working ok:

  1. Log into your dev env
  2. Go to account settings
  3. Go to security
  4. Enable MFA and you can use pyotp to generate codes, or you can use an auth app in your phone
  5. Scan the QR code or copy the manual key, use pyotp:
>>> import pyotp
>>> key = '*****'
>>> totp = pyotp.TOTP(key)
>>> totp.now()

123456
  1. Enter the generated code and it should now show you the recovery codes. Download the file, and click the blue button
  2. You should see that there are two options now, reconfigure MFA and regenerate codes
  3. Test each one of these, it should allow you to follow the steps with no error messages in the KPI container logs or in the frontend app. Use pyotp to generate new codes, as shown above.

@Guitlle
Upgrade allauth version to the latest version
c0d06d3
@Guitlle
Merge remote-tracking branch 'origin/main' into dev-746-upgrade-allau…
0efdce0 
…th-version
@Guitlle
Fix broken tests due to rate limits config
513fd57
@Guitlle
Update settings for allauth
11ee2df
@Guitlle
Merge branch 'dev-746-upgrade-allauth-version' into dev-750-replace-t…
dcb3899 
…rench-forms
@Guitlle
Update requirements to include django allauth mfa
b139688
@Guitlle
Include the allauth mfa app and change the internal mfa app label
49ceff6
@Guitlle
Rename mfa internal app because of conflicts with allauth mfa app
a3bd73c
@Guitlle
Update dev requirements
bcbe121
@Guitlle
Refactor and working version for fix kpi migrations script
f3d1735
@Guitlle
Update settings for allauth mfa feature
95b1118
@Guitlle
Simple MfaAdapter override for allauth mfa feature
c093d90
@Guitlle
Create new model for mfa methods, prepare for changing views and forms
e706134
@Guitlle
Remove old commands from trench
eb76017
@Guitlle
Fix new model name in orgs app
e04ab9d
@Guitlle
Prepare mfa adapter for endpoints replacement
cf8d07b
@Guitlle
Refactor models and migrations
3c4035c
@Guitlle
WIP - update API endpoints views and tests to replace trench with all…
47e8446 
…auth authenticators
@Guitlle
Allauth based working version for the necessary kpi endpoints for MFA
d261828
@Guitlle
Handle code validation for deactivate and regenerate endpoints, refac…
28fb85a 
…tor and fix issues
@Guitlle
Fix order of things in deactivate flow step
0b63aff
@Guitlle
Use constant for method string
a31f2a7
@Guitlle
Remove trench backend
cc5d6a7
@Guitlle
Format python for the endpoints code changes
0664d45
@Guitlle Guitlle changed the title Dev 749 mfa update endpoints feat(mfa): create new API endpoints and views to replace trench's DEV-749 Oct 24, 2025
@Guitlle Guitlle self-assigned this Oct 24, 2025
@Guitlle Guitlle changed the title feat(mfa): create new API endpoints and views to replace trench's DEV-749 feat(mfa): create new API endpoints and views to replace trench's DEV-749 DEV-750 Oct 24, 2025
@Guitlle Guitlle changed the title feat(mfa): create new API endpoints and views to replace trench's DEV-749 DEV-750 feat(mfa): replace trench based API endpoints, views and forms with allauth implementation DEV-749 DEV-750 Oct 24, 2025
@Guitlle Guitlle marked this pull request as ready for review October 27, 2025 22:41
@Guitlle Guitlle removed request for jnm and olive-KTB October 27, 2025 22:42
@Guitlle Guitlle changed the title feat(mfa): replace trench based API endpoints, views and forms with allauth implementation DEV-749 DEV-750 feat(mfa): replace trench based API endpoints, views and forms with allauth implementation DEV-749 Oct 27, 2025
noliveleger
noliveleger requested changes Nov 7, 2025
View reviewed changes
@noliveleger noliveleger requested a review from rgraber as a code owner November 14, 2025 15:44
@Guitlle
feat(mfa): migrate trench data DEV-854 (#6443)
6dbd3e0 
### 💭 Notes
The trench MFA data is copied to the allauth Authenticator and the
MfaMethodsWrapper models in order to remove the trench dependency. In
order to avoid disabling MFA for users it migrates the user MFA data
from trench when the user logs in. It also includes a long running
migration to migrate users MFA data in the background.
@noliveleger noliveleger removed the request for review from rgraber November 14, 2025 17:00
noliveleger
noliveleger approved these changes Nov 14, 2025
View reviewed changes
Copy link
Contributor

@noliveleger noliveleger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@noliveleger noliveleger merged commit 8228dde into main Nov 14, 2025
11 checks passed
@noliveleger noliveleger deleted the dev-749-mfa-update-endpoints branch November 14, 2025 17:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@noliveleger noliveleger noliveleger approved these changes

Assignees

@Guitlle Guitlle

Labels

Back end

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Guitlle @noliveleger