app-MAIL-temp/app/auth/views/mfa.py

import pyotp
from flask import (
    render_template,
    redirect,
    url_for,
    flash,
    session,
    make_response,
    request,
    g,
)
from flask_login import login_user
from flask_wtf import FlaskForm
from wtforms import BooleanField, StringField, validators

from app.auth.base import auth_bp
from app.config import MFA_USER_ID, URL
from app.db import Session
from app.email_utils import send_invalid_totp_login_email
from app.extensions import limiter
from app.models import User, MfaBrowser
from app.utils import sanitize_next_url


class OtpTokenForm(FlaskForm):
    token = StringField("Token", validators=[validators.DataRequired()])
    remember = BooleanField(
        "attr", default=False, description="Remember this browser for 30 days"
    )


@auth_bp.route("/mfa", methods=["GET", "POST"])
@limiter.limit(
    "10/minute", deduct_when=lambda r: hasattr(g, "deduct_limit") and g.deduct_limit
)
def mfa():
    # passed from login page
    user_id = session.get(MFA_USER_ID)

    # user access this page directly without passing by login page
    if not user_id:
        flash("Unknown error, redirect back to main page", "warning")
        return redirect(url_for("auth.login"))

    user = User.get(user_id)

    if not (user and user.enable_otp):
        flash("Only user with MFA enabled should go to this page", "warning")
        return redirect(url_for("auth.login"))

    otp_token_form = OtpTokenForm()
    next_url = sanitize_next_url(request.args.get("next"))

    if request.cookies.get("mfa"):
        browser = MfaBrowser.get_by(token=request.cookies.get("mfa"))
        if browser and not browser.is_expired() and browser.user_id == user.id:
            login_user(user)
            flash("Welcome back!", "success")
            # Redirect user to correct page
            return redirect(next_url or url_for("dashboard.index"))
        else:
            # Trigger rate limiter
            g.deduct_limit = True

    if otp_token_form.validate_on_submit():
        totp = pyotp.TOTP(user.otp_secret)

        token = otp_token_form.token.data.replace(" ", "")

        if totp.verify(token, valid_window=2) and user.last_otp != token:
            del session[MFA_USER_ID]
            user.last_otp = token
            Session.commit()

            login_user(user)
            flash("Welcome back!", "success")

            # Redirect user to correct page
            response = make_response(redirect(next_url or url_for("dashboard.index")))

            if otp_token_form.remember.data:
                browser = MfaBrowser.create_new(user=user)
                Session.commit()
                response.set_cookie(
                    "mfa",
                    value=browser.token,
                    expires=browser.expires.datetime,
                    secure=True if URL.startswith("https") else False,
                    httponly=True,
                    samesite="Lax",
                )

            return response

        else:
            flash("Incorrect token", "warning")
            # Trigger rate limiter
            g.deduct_limit = True
            otp_token_form.token.data = None
            send_invalid_totp_login_email(user, "TOTP")

    return render_template(
        "auth/mfa.html",
        otp_token_form=otp_token_form,
        enable_fido=(user.fido_enabled()),
        next_url=next_url,
    )
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00			`import pyotp`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`from flask import (`
			`render_template,`
			`redirect,`
			`url_for,`
			`flash,`
			`session,`
			`make_response,`
			`request,`
Revert "remove deduct_limit as it has no effect (#1347)" (#1348) This reverts commit 851ba0a99a8e3910c14119aba885abd516165cde. 2022-10-13 22:00:45 +02:00			`g,`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`)`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00			`from flask_login import login_user`
			`from flask_wtf import FlaskForm`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`from wtforms import BooleanField, StringField, validators`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00
			`from app.auth.base import auth_bp`
Implement API notifications and use a function in email_utils 2022-01-20 18:42:11 +01:00			`from app.config import MFA_USER_ID, URL`
do not use flask-sqlalchemy - add __tablename__ for all models - use sa and orm instead of db - rollback all changes in tests - remove session in @app.teardown_appcontext 2021-10-12 14:36:47 +02:00			`from app.db import Session`
Implement API notifications and use a function in email_utils 2022-01-20 18:42:11 +01:00			`from app.email_utils import send_invalid_totp_login_email`
do not use flask-sqlalchemy - add __tablename__ for all models - use sa and orm instead of db - rollback all changes in tests - remove session in @app.teardown_appcontext 2021-10-12 14:36:47 +02:00			`from app.extensions import limiter`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`from app.models import User, MfaBrowser`
Sanitized missing places 2022-03-29 18:03:18 +02:00			`from app.utils import sanitize_next_url`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00

			`class OtpTokenForm(FlaskForm):`
			`token = StringField("Token", validators=[validators.DataRequired()])`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`remember = BooleanField(`
			`"attr", default=False, description="Remember this browser for 30 days"`
			`)`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00

			`@auth_bp.route("/mfa", methods=["GET", "POST"])`
Revert "remove deduct_limit as it has no effect (#1347)" (#1348) This reverts commit 851ba0a99a8e3910c14119aba885abd516165cde. 2022-10-13 22:00:45 +02:00			`@limiter.limit(`
			`"10/minute", deduct_when=lambda r: hasattr(g, "deduct_limit") and g.deduct_limit`
			`)`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00			`def mfa():`
			`# passed from login page`
Fix user could go to MFA page directly 2020-01-03 23:42:35 +01:00			`user_id = session.get(MFA_USER_ID)`

			`# user access this page directly without passing by login page`
			`if not user_id:`
			`flash("Unknown error, redirect back to main page", "warning")`
redirect to login page instead 2020-01-03 23:50:34 +01:00			`return redirect(url_for("auth.login"))`
Fix user could go to MFA page directly 2020-01-03 23:42:35 +01:00
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00			`user = User.get(user_id)`

Fix user could go to MFA page directly 2020-01-03 23:42:35 +01:00			`if not (user and user.enable_otp):`
			`flash("Only user with MFA enabled should go to this page", "warning")`
redirect to login page instead 2020-01-03 23:50:34 +01:00			`return redirect(url_for("auth.login"))`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00
			`otp_token_form = OtpTokenForm()`
Sanitized missing places 2022-03-29 18:03:18 +02:00			`next_url = sanitize_next_url(request.args.get("next"))`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`if request.cookies.get("mfa"):`
			`browser = MfaBrowser.get_by(token=request.cookies.get("mfa"))`
Prevent OTP replay attacks by invalidating last token 2020-05-22 16:50:03 +02:00			`if browser and not browser.is_expired() and browser.user_id == user.id:`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`login_user(user)`
Replace black and flake8 with ruff (#1943) 2023-11-21 16:42:18 +01:00			`flash("Welcome back!", "success")`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`# Redirect user to correct page`
			`return redirect(next_url or url_for("dashboard.index"))`
Revert "remove deduct_limit as it has no effect (#1347)" (#1348) This reverts commit 851ba0a99a8e3910c14119aba885abd516165cde. 2022-10-13 22:00:45 +02:00			`else:`
			`# Trigger rate limiter`
			`g.deduct_limit = True`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00			`if otp_token_form.validate_on_submit():`
			`totp = pyotp.TOTP(user.otp_secret)`

Prevent OTP replay attacks by invalidating last token 2020-05-22 16:50:03 +02:00			`token = otp_token_form.token.data.replace(" ", "")`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00
Extend validity of totp tokens for up to a minute. (#1494) * Feat: Allow TOTP for up to one minute in the future and in the past * Feat: Allow TOTP for up to one minute in the future and in the past Co-authored-by: Adrià Casajús <adria.casajus@proton.ch> 2022-12-16 17:54:46 +01:00			`if totp.verify(token, valid_window=2) and user.last_otp != token:`
remove redundant code 2019-12-27 17:36:35 +01:00			`del session[MFA_USER_ID]`
Prevent OTP replay attacks by invalidating last token 2020-05-22 16:50:03 +02:00			`user.last_otp = token`
do not use flask-sqlalchemy - add __tablename__ for all models - use sa and orm instead of db - rollback all changes in tests - remove session in @app.teardown_appcontext 2021-10-12 14:36:47 +02:00			`Session.commit()`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00
remove redundant code 2019-12-27 17:36:35 +01:00			`login_user(user)`
Replace black and flake8 with ruff (#1943) 2023-11-21 16:42:18 +01:00			`flash("Welcome back!", "success")`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00
			`# Redirect user to correct page`
			`response = make_response(redirect(next_url or url_for("dashboard.index")))`

			`if otp_token_form.remember.data:`
			`browser = MfaBrowser.create_new(user=user)`
do not use flask-sqlalchemy - add __tablename__ for all models - use sa and orm instead of db - rollback all changes in tests - remove session in @app.teardown_appcontext 2021-10-12 14:36:47 +02:00			`Session.commit()`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`response.set_cookie(`
			`"mfa",`
			`value=browser.token,`
			`expires=browser.expires.datetime,`
			`secure=True if URL.startswith("https") else False,`
			`httponly=True,`
			`samesite="Lax",`
			`)`

			`return response`
remove redundant code 2019-12-27 17:36:35 +01:00
			`else:`
Send the email after the local error. 2022-01-20 17:44:15 +01:00			`flash("Incorrect token", "warning")`
Revert "remove deduct_limit as it has no effect (#1347)" (#1348) This reverts commit 851ba0a99a8e3910c14119aba885abd516165cde. 2022-10-13 22:00:45 +02:00			`# Trigger rate limiter`
			`g.deduct_limit = True`
Send the email after the local error. 2022-01-20 17:44:15 +01:00			`otp_token_form.token.data = None`
Implement API notifications and use a function in email_utils 2022-01-20 18:42:11 +01:00			`send_invalid_totp_login_email(user, "TOTP")`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00
Black formatted 2020-05-07 11:53:28 +02:00			`return render_template(`
			`"auth/mfa.html",`
			`otp_token_form=otp_token_form,`
model - fido_enabled 2020-05-07 14:32:52 +02:00			`enable_fido=(user.fido_enabled()),`
reformat 2020-05-17 10:35:11 +02:00			`next_url=next_url,`
Black formatted 2020-05-07 11:53:28 +02:00			`)`