mirror of https://github.com/lightningcell/flask-2fa-auth.git synced 2026-05-26 07:08:07 +00:00

Go to file

Hamit Şimşek 0d8fc25001 Revert "Reapply "Add few test bugs to test ai-review workflow""

This reverts commit 176ce8d2d5.

2025-11-01 13:21:51 +03:00

.github

Enhance AI review script to compute a detailed per-file change summary and output it in JSON format

2025-11-01 13:13:29 +03:00

app

Revert "Reapply "Add few test bugs to test ai-review workflow""

2025-11-01 13:21:51 +03:00

migrations

Base scripts and templates added

2025-05-30 00:07:07 +03:00

.env.example

Implement location tracking and suspicious login detection

2025-05-30 00:34:17 +03:00

.gitattributes

Initial commit

2025-05-29 22:55:08 +03:00

.gitignore

Initial commit

2025-05-29 22:55:08 +03:00

config.py

Implement location tracking and suspicious login detection

2025-05-30 00:34:17 +03:00

init_db.py

Base scripts and templates added

2025-05-30 00:07:07 +03:00

LICENSE

Initial commit

2025-05-29 22:55:08 +03:00

README.md

Base scripts and templates added

2025-05-30 00:07:07 +03:00

requirements.txt

Implement location tracking and suspicious login detection

2025-05-30 00:34:17 +03:00

run.py

Remove commented Turkish note from run.py

2025-11-01 00:00:54 +03:00

test_app.py

Base scripts and templates added

2025-05-30 00:07:07 +03:00

README.md

Flask 2FA Authentication Application

A secure Flask web application implementing two-factor authentication (2FA) with industry best practices for web security.

🔒 Security Features

Two-Factor Authentication: TOTP-based 2FA using PyOTP
Secure Password Storage: Bcrypt hashing with automatic salt generation
CSRF Protection: Automatic token validation on all forms
SQL Injection Prevention: Parameterized queries with SQLAlchemy ORM
XSS Protection: Automatic template escaping and CSP headers
Secure Session Management: HTTPOnly, Secure, and SameSite cookie flags
Security Headers: HSTS, X-Frame-Options, X-Content-Type-Options
Input Validation: Server-side validation with WTForms
Secure Configuration: Environment-based configuration management

🚀 Quick Start

Prerequisites

Python 3.9 or higher
pip (Python package installer)

Installation

Clone the repository

git clone <repository-url>
cd flask-2fa-auth

Create and activate virtual environment

# Windows
python -m venv venv
venv\Scripts\activate

# macOS/Linux
python3 -m venv venv
source venv/bin/activate

Install dependencies
```
pip install -r requirements.txt
```

Set up environment variables

# Copy the example environment file
copy .env.example .env

# Edit .env file with your configuration
# At minimum, change the SECRET_KEY for production

Initialize the database

flask db init
flask db migrate -m "Initial migration"
flask db upgrade

Run the application
```
python run.py
```
The application will be available at http://127.0.0.1:5000

📱 2FA Setup Process

Register: Create a new account with username, email, and password
Scan QR Code: Use Google Authenticator, Authy, or similar app to scan the QR code
Verify: Enter the 6-digit code from your authenticator app
Login: Use your credentials + 2FA code for future logins

Supported Authenticator Apps

Google Authenticator
Microsoft Authenticator
Authy
1Password
LastPass Authenticator
Any TOTP-compatible app

🛠️ Project Structure

flask-2fa-auth/
├── app/
│   ├── __init__.py          # Application factory
│   ├── models.py            # User model with 2FA methods
│   ├── auth/                # Authentication blueprint
│   │   ├── __init__.py
│   │   ├── routes.py        # Auth routes (register, login, verify)
│   │   └── forms.py         # WTForms form classes
│   ├── main/                # Main application blueprint
│   │   ├── __init__.py
│   │   └── routes.py        # Main routes (dashboard, profile)
│   └── templates/           # Jinja2 templates
│       ├── base.html        # Base template with security headers
│       ├── index.html       # Home page
│       ├── dashboard.html   # User dashboard
│       ├── profile.html     # User profile
│       └── auth/            # Authentication templates
│           ├── register.html
│           ├── login.html
│           ├── verify_otp.html
│           └── setup_2fa.html
├── config.py                # Configuration classes
├── requirements.txt         # Python dependencies
├── run.py                   # Application entry point
├── .env.example            # Environment variables template
└── README.md               # This file

🔧 Configuration

Environment Variables

Variable	Description	Default
`FLASK_CONFIG`	Configuration environment	`development`
`SECRET_KEY`	Flask secret key (CHANGE IN PRODUCTION!)	Auto-generated
`DATABASE_URL`	Database connection string	`sqlite:///app.db`
`DEBUG`	Enable debug mode	`True`

Configuration Classes

DevelopmentConfig: Debug enabled, SQLite database
ProductionConfig: Debug disabled, PostgreSQL recommended
TestingConfig: In-memory database, CSRF disabled

🚀 Deployment

Production Checklist

Change SECRET_KEY to a cryptographically secure random value
Set FLASK_CONFIG=production
Use PostgreSQL or similar production database
Enable HTTPS with valid SSL certificate
Set secure environment variables
Use a proper WSGI server (Gunicorn, uWSGI)
Configure reverse proxy (Nginx, Apache)
Set up monitoring and logging
Regular security updates

Example Production Deployment

# Install production dependencies
pip install gunicorn

# Set production environment
export FLASK_CONFIG=production
export SECRET_KEY="your-super-secure-random-key"
export DATABASE_URL="postgresql://user:pass@localhost/flask_2fa_prod"

# Run database migrations
flask db upgrade

# Start with Gunicorn
gunicorn -w 4 -b 0.0.0.0:8000 run:app

🛡️ Security Considerations

Authentication Security

Passwords are hashed using bcrypt with automatic salt generation
TOTP tokens expire every 30 seconds with built-in replay protection
Failed login attempts are logged for security monitoring
Session protection prevents session fixation attacks

Web Security

CSRF tokens protect against cross-site request forgery
Security headers prevent clickjacking and XSS attacks
Input validation prevents injection attacks
Secure cookie settings protect session data

Database Security

Parameterized queries prevent SQL injection
Connection pooling with proper timeouts
Database credentials stored in environment variables

Operational Security

Security events logged for monitoring
Environment-based configuration
Separate development and production configurations

📚 API Reference

User Model Methods

user = User(username="john", email="john@example.com")

# Password management
user.set_password("secure_password")
user.check_password("password_to_verify")

# 2FA management
user.generate_totp_secret()
user.generate_totp_uri("MyApp")
user.verify_totp("123456")
user.generate_qr_code("MyApp")
user.enable_2fa()
user.disable_2fa()

Routes

Route	Method	Description
`/`	GET	Home page
`/auth/register`	GET, POST	User registration
`/auth/login`	GET, POST	User login (first factor)
`/auth/verify-otp`	GET, POST	2FA verification
`/auth/setup-2fa`	GET	QR code for 2FA setup
`/auth/logout`	GET	User logout
`/dashboard`	GET	User dashboard (protected)
`/profile`	GET	User profile (protected)

🤝 Contributing

Fork the repository
Create a feature branch (git checkout -b feature/amazing-feature)
Commit your changes (git commit -m 'Add amazing feature')
Push to the branch (git push origin feature/amazing-feature)
Open a Pull Request

Development Guidelines

Follow PEP 8 style guidelines
Add tests for new features
Update documentation as needed
Ensure security best practices are maintained

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

🆘 Support

If you encounter any issues:

Check the Issues page for existing solutions
Create a new issue with detailed information
Include error messages and steps to reproduce

🔗 Resources

⚠️ Security Notice: This application implements security best practices, but security is an ongoing process. Always keep dependencies updated, monitor for vulnerabilities, and follow current security guidelines for production deployments.