Support for TOTP valid_window configuration (#2187)

apps/jumpserver/settings.py

@@ -356,6 +356,7 @@ FILE_UPLOAD_DIRECTORY_PERMISSIONS = 0o755
 
 # OTP settings
 OTP_ISSUER_NAME = CONFIG.OTP_ISSUER_NAME
+OTP_VALID_WINDOW = CONFIG.OTP_VALID_WINDOW
 
 # Auth LDAP settings
 AUTH_LDAP = False

apps/users/utils.py

@@ -292,7 +292,8 @@ def check_otp_code(otp_secret_key, otp_code):
     if not otp_secret_key or not otp_code:
         return False
     totp = pyotp.TOTP(otp_secret_key)
-    return totp.verify(otp_code)
+    otp_valid_window = settings.OTP_VALID_WINDOW or 0
+    return totp.verify(otp=otp_code, valid_window=otp_valid_window)
 
 
 def get_password_check_rules():

config_docker.py

@@ -100,6 +100,9 @@ class Config:
     }
     AUTH_LDAP_START_TLS = False
 
+    #
+    # OTP_VALID_WINDOW = 0
+
     def __init__(self):
         pass
 
@@ -200,6 +203,10 @@ class DockerConfig(Config):
     AUTH_LDAP_START_TLS = False
 
 
+    #
+    OTP_VALID_WINDOW = int(os.environ.get("OTP_VALID_WINDOW")) if os.environ.get("OTP_VALID_WINDOW") else 0
+
+
 # Default using Config settings, you can write if/else for different env
 config = DockerConfig()
 

config_example.py

@@ -90,6 +90,9 @@ class Config:
     # AUTH_OPENID_CLIENT_ID = 'client-id'
     # AUTH_OPENID_CLIENT_SECRET = 'client-secret'
 
+    #
+    # OTP_VALID_WINDOW = 0
+
     def __init__(self):
         pass