app-MAIL-temp/app/auth/views/fido.py

import json
import secrets

import webauthn
from flask import request, render_template, redirect, url_for, flash, session
from flask_login import login_user
from flask_wtf import FlaskForm
from wtforms import HiddenField, validators

from app.auth.base import auth_bp
from app.config import MFA_USER_ID
from app.config import RP_ID, URL
from app.extensions import db
from app.log import LOG
from app.models import User, Fido


class FidoTokenForm(FlaskForm):
    sk_assertion = HiddenField("sk_assertion", validators=[validators.DataRequired()])


@auth_bp.route("/fido", methods=["GET", "POST"])
def fido():
    # passed from login page
    user_id = session.get(MFA_USER_ID)

    # user access this page directly without passing by login page
    if not user_id:
        flash("Unknown error, redirect back to main page", "warning")
        return redirect(url_for("auth.login"))

    user = User.get(user_id)

    if not (user and user.fido_enabled()):
        flash("Only user with security key linked should go to this page", "warning")
        return redirect(url_for("auth.login"))

    auto_activate = True
    fido_token_form = FidoTokenForm()

    next_url = request.args.get("next")

    # Handling POST requests
    if fido_token_form.validate_on_submit():
        try:
            sk_assertion = json.loads(fido_token_form.sk_assertion.data)
        except Exception as e:
            flash("Key verification failed. Error: Invalid Payload", "warning")
            return redirect(url_for("auth.login"))

        challenge = session["fido_challenge"]

        try:
            fido_key = Fido.get_by(
                uuid=user.fido_uuid, credential_id=sk_assertion["id"]
            )
            webauthn_user = webauthn.WebAuthnUser(
                user.fido_uuid,
                user.email,
                user.name if user.name else user.email,
                False,
                fido_key.credential_id,
                fido_key.public_key,
                fido_key.sign_count,
                RP_ID,
            )
            webauthn_assertion_response = webauthn.WebAuthnAssertionResponse(
                webauthn_user, sk_assertion, challenge, URL, uv_required=False
            )
            new_sign_count = webauthn_assertion_response.verify()
        except Exception as e:
            LOG.error(f"An error occurred in WebAuthn verification process: {e}")
            flash("Key verification failed.", "warning")
            auto_activate = False
        else:
            user.fido_sign_count = new_sign_count
            db.session.commit()
            del session[MFA_USER_ID]

            login_user(user)
            flash(f"Welcome back {user.name}!", "success")

            # User comes to login page from another page
            if next_url:
                LOG.debug("redirect user to %s", next_url)
                return redirect(next_url)
            else:
                LOG.debug("redirect user to dashboard")
                return redirect(url_for("dashboard.index"))

    # Prepare information for key registration process
    session.pop("challenge", None)
    challenge = secrets.token_urlsafe(32)

    session["fido_challenge"] = challenge.rstrip("=")

    fidos = Fido.filter_by(uuid=user.fido_uuid).all()
    webauthn_users = []
    for fido in fidos:
        webauthn_users.append(
            webauthn.WebAuthnUser(
                user.fido_uuid,
                user.email,
                user.name if user.name else user.email,
                False,
                fido.credential_id,
                fido.public_key,
                fido.sign_count,
                RP_ID,
            )
        )

    webauthn_assertion_options = webauthn.WebAuthnAssertionOptions(
        webauthn_users, challenge
    )
    webauthn_assertion_options = webauthn_assertion_options.assertion_dict

    return render_template(
        "auth/fido.html",
        fido_token_form=fido_token_form,
        webauthn_assertion_options=webauthn_assertion_options,
        enable_otp=user.enable_otp,
        auto_activate=auto_activate,
        next_url=next_url,
    )
FIDO login middleware 2020-05-05 14:03:29 +02:00			`import json`
			`import secrets`

optimize import 2020-05-07 17:49:29 +02:00			`import webauthn`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`from flask import request, render_template, redirect, url_for, flash, session`
			`from flask_login import login_user`
			`from flask_wtf import FlaskForm`
			`from wtforms import HiddenField, validators`

			`from app.auth.base import auth_bp`
			`from app.config import MFA_USER_ID`
optimize import 2020-05-07 17:49:29 +02:00			`from app.config import RP_ID, URL`
			`from app.extensions import db`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`from app.log import LOG`
Rename FIDO->Fido 2020-05-18 22:54:05 +02:00			`from app.models import User, Fido`
FIDO login middleware 2020-05-05 14:03:29 +02:00

			`class FidoTokenForm(FlaskForm):`
			`sk_assertion = HiddenField("sk_assertion", validators=[validators.DataRequired()])`


			`@auth_bp.route("/fido", methods=["GET", "POST"])`
			`def fido():`
			`# passed from login page`
			`user_id = session.get(MFA_USER_ID)`

			`# user access this page directly without passing by login page`
			`if not user_id:`
			`flash("Unknown error, redirect back to main page", "warning")`
			`return redirect(url_for("auth.login"))`

			`user = User.get(user_id)`

add User.can_use_fido 2020-05-07 17:56:25 +02:00			`if not (user and user.fido_enabled()):`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`flash("Only user with security key linked should go to this page", "warning")`
			`return redirect(url_for("auth.login"))`

Auto activate WebAuthn authentication 2020-05-12 04:17:51 +02:00			`auto_activate = True`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`fido_token_form = FidoTokenForm()`

			`next_url = request.args.get("next")`

			`# Handling POST requests`
			`if fido_token_form.validate_on_submit():`
			`try:`
			`sk_assertion = json.loads(fido_token_form.sk_assertion.data)`
			`except Exception as e:`
Black formatted 2020-05-07 11:53:28 +02:00			`flash("Key verification failed. Error: Invalid Payload", "warning")`
fix exception handling 2020-05-05 23:13:01 +02:00			`return redirect(url_for("auth.login"))`
Black formatted 2020-05-07 11:53:28 +02:00
			`challenge = session["fido_challenge"]`
FIDO login middleware 2020-05-05 14:03:29 +02:00
			`try:`
Rename FIDO->Fido 2020-05-18 22:54:05 +02:00			`fido_key = Fido.get_by(`
more verify 2020-05-18 10:02:58 +02:00			`uuid=user.fido_uuid, credential_id=sk_assertion["id"]`
			`)`
			`webauthn_user = webauthn.WebAuthnUser(`
			`user.fido_uuid,`
			`user.email,`
			`user.name if user.name else user.email,`
			`False,`
			`fido_key.credential_id,`
			`fido_key.public_key,`
			`fido_key.sign_count,`
			`RP_ID,`
			`)`
			`webauthn_assertion_response = webauthn.WebAuthnAssertionResponse(`
			`webauthn_user, sk_assertion, challenge, URL, uv_required=False`
			`)`
remove debug code 2020-05-05 23:26:26 +02:00			`new_sign_count = webauthn_assertion_response.verify()`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`except Exception as e:`
Black formatted 2020-05-07 11:53:28 +02:00			`LOG.error(f"An error occurred in WebAuthn verification process: {e}")`
			`flash("Key verification failed.", "warning")`
Auto activate WebAuthn authentication 2020-05-12 04:17:51 +02:00			`auto_activate = False`
Use try-else https://github.com/simple-login/app/pull/159/files/9b8340f3e0d49b68cf765b6c982d824c3f89a129#r421465450 2020-05-07 14:41:34 +02:00			`else:`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`user.fido_sign_count = new_sign_count`
			`db.session.commit()`
			`del session[MFA_USER_ID]`

			`login_user(user)`
			`flash(f"Welcome back {user.name}!", "success")`

			`# User comes to login page from another page`
			`if next_url:`
			`LOG.debug("redirect user to %s", next_url)`
			`return redirect(next_url)`
			`else:`
			`LOG.debug("redirect user to dashboard")`
			`return redirect(url_for("dashboard.index"))`
black format 2020-05-07 17:48:44 +02:00
typo 'infomation' 2020-05-07 11:31:42 +02:00			`# Prepare information for key registration process`
Black formatted 2020-05-07 11:53:28 +02:00			`session.pop("challenge", None)`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`challenge = secrets.token_urlsafe(32)`
Black formatted 2020-05-07 11:53:28 +02:00
			`session["fido_challenge"] = challenge.rstrip("=")`
FIDO login middleware 2020-05-05 14:03:29 +02:00
fido_model -> fidos 2020-05-18 22:55:38 +02:00			`fidos = Fido.filter_by(uuid=user.fido_uuid).all()`
more verify 2020-05-18 10:02:58 +02:00			`webauthn_users = []`
fido_model -> fidos 2020-05-18 22:55:38 +02:00			`for fido in fidos:`
more verify 2020-05-18 10:02:58 +02:00			`webauthn_users.append(`
			`webauthn.WebAuthnUser(`
			`user.fido_uuid,`
			`user.email,`
			`user.name if user.name else user.email,`
			`False,`
fido_model -> fidos 2020-05-18 22:55:38 +02:00			`fido.credential_id,`
			`fido.public_key,`
			`fido.sign_count,`
more verify 2020-05-18 10:02:58 +02:00			`RP_ID,`
			`)`
			`)`
black 2020-05-18 10:04:45 +02:00
FIDO login middleware 2020-05-05 14:03:29 +02:00			`webauthn_assertion_options = webauthn.WebAuthnAssertionOptions(`
Verify 2020-05-18 09:08:06 +02:00			`webauthn_users, challenge`
Black formatted 2020-05-07 11:53:28 +02:00			`)`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`webauthn_assertion_options = webauthn_assertion_options.assertion_dict`

Black formatted 2020-05-07 11:53:28 +02:00			`return render_template(`
			`"auth/fido.html",`
			`fido_token_form=fido_token_form,`
			`webauthn_assertion_options=webauthn_assertion_options,`
			`enable_otp=user.enable_otp,`
Auto activate WebAuthn authentication 2020-05-12 04:17:51 +02:00			`auto_activate=auto_activate,`
reformat 2020-05-17 10:35:11 +02:00			`next_url=next_url,`
Black formatted 2020-05-07 11:53:28 +02:00			`)`