[#2076] Replace 2FA with maykin-2fa

[alextreme]

All in all an easy upgrade!

A few things to note:

• Seems to clear the TOTP-devices, will every admin have to re-register their TOTP-device or is a migration path possible?
• Wasn't able to get my yubikey to work with Webauthn yet but this may be due to my Firefox upgrade recently
• Could use some additional texts/explaination (point to Google Authenticator / Microsoft Authenticator, explain what a Webauthn is or point to a resource etc)
• django-admin-index happy surprise menu appears again:

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (651f7cd) 94.91% compared to head (2330eff) 94.92%.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #1003      +/-   ##
===========================================
+ Coverage    94.91%   94.92%   +0.01%     
===========================================
  Files          882      882              
  Lines        30748    30784      +36     
===========================================
+ Hits         29183    29221      +38     
+ Misses        1565     1563       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pi-sigma]

We're running a very old version of django-admin-index (1.5.0 vs current 3.1.0), and an old version of django-ordered-model (3.4.3 vs 3.7). The upgrade is not entirely straightforward, as the styling for django-admin-index has been completely revamped. I've created a separate issue for the upgrade (here).

[pi-sigma]

@stevenbal Just a heads-up when you're trying this out. Once you've created a TOTP device for a staff/superuser, you can no longer disable 2fa via development settings for that user (while on the ticket branch). That's not expected, but it's not (yet) determined if we should treat this as a bug or just document it and go along with it (after all, this only affects development, and you can easily create and drop superusers as you like). I've created a ticket at maykin-2fa for this (link).

[stevenbal]

Looks good! I ran into some issues while testing OIDC login, but this seems to be unrelated to this PR (https://taiga.maykinmedia.nl/project/open-inwoner/issue/2101)

[stevenbal]

Looks good, just have one question regarding CMS toolbar

[stevenbal]

I'm not sure what causes this (or if it is an issue at all, because I know very little about django-cms), but if I log in as an admin, I don't get to see the CMS toolbar if I navigate to the frontend (if I try the same on develop it does show the toolbar):

I can only get the toolbar to show if I go to a page in the admin and then click the view button

[pi-sigma]

This might be related to the changes to DropToolbarMiddleware. I'll look into it.

[pi-sigma]

The toobar seems to be disabled by installing maykin-2fa, not sure why. You can re-enable it by appending /?edit in the url bar. I tried logging out in in again and at least it seems to stick around after being re-enabled.

[pi-sigma]

• admin is fixed
• yubikey works
• old TOTP devices work
• once enabled, 2fa cannot be circumvented for dev purposes via dev settings (you need to log in and delete the TOTP device for your user)

[Bartvaderkin]

I left a small observation not sure if it is something.

[pi-sigma]

@Bartvaderkin Do you mean the clarification about DropToolbarMiddleware (I don't see anything else)?