app-MAIL-temp/app/auth/views/fido.py

import json
import secrets

import webauthn
from flask import (
    request,
    render_template,
    redirect,
    url_for,
    flash,
    session,
    make_response,
    g,
)
from flask_login import login_user
from flask_wtf import FlaskForm
from wtforms import HiddenField, validators, BooleanField

from app.auth.base import auth_bp
from app.config import MFA_USER_ID
from app.config import RP_ID, URL
from app.db import Session
from app.extensions import limiter
from app.log import LOG
from app.models import User, Fido, MfaBrowser


class FidoTokenForm(FlaskForm):
    sk_assertion = HiddenField("sk_assertion", validators=[validators.DataRequired()])
    remember = BooleanField(
        "attr", default=False, description="Remember this browser for 30 days"
    )


@auth_bp.route("/fido", methods=["GET", "POST"])
@limiter.limit(
    "10/minute", deduct_when=lambda r: hasattr(g, "deduct_limit") and g.deduct_limit
)
def fido():
    # passed from login page
    user_id = session.get(MFA_USER_ID)

    # user access this page directly without passing by login page
    if not user_id:
        flash("Unknown error, redirect back to main page", "warning")
        return redirect(url_for("auth.login"))

    user = User.get(user_id)

    if not (user and user.fido_enabled()):
        flash("Only user with security key linked should go to this page", "warning")
        return redirect(url_for("auth.login"))

    auto_activate = True
    fido_token_form = FidoTokenForm()

    next_url = request.args.get("next")

    if request.cookies.get("mfa"):
        browser = MfaBrowser.get_by(token=request.cookies.get("mfa"))
        if browser and not browser.is_expired() and browser.user_id == user.id:
            login_user(user)
            flash(f"Welcome back!", "success")
            # Redirect user to correct page
            return redirect(next_url or url_for("dashboard.index"))
        else:
            # Trigger rate limiter
            g.deduct_limit = True

    # Handling POST requests
    if fido_token_form.validate_on_submit():
        try:
            sk_assertion = json.loads(fido_token_form.sk_assertion.data)
        except Exception:
            flash("Key verification failed. Error: Invalid Payload", "warning")
            return redirect(url_for("auth.login"))

        challenge = session["fido_challenge"]

        try:
            fido_key = Fido.get_by(
                uuid=user.fido_uuid, credential_id=sk_assertion["id"]
            )
            webauthn_user = webauthn.WebAuthnUser(
                user.fido_uuid,
                user.email,
                user.name if user.name else user.email,
                False,
                fido_key.credential_id,
                fido_key.public_key,
                fido_key.sign_count,
                RP_ID,
            )
            webauthn_assertion_response = webauthn.WebAuthnAssertionResponse(
                webauthn_user, sk_assertion, challenge, URL, uv_required=False
            )
            new_sign_count = webauthn_assertion_response.verify()
        except Exception as e:
            LOG.w(f"An error occurred in WebAuthn verification process: {e}")
            flash("Key verification failed.", "warning")
            # Trigger rate limiter
            g.deduct_limit = True
            auto_activate = False
        else:
            user.fido_sign_count = new_sign_count
            Session.commit()
            del session[MFA_USER_ID]

            login_user(user)
            flash(f"Welcome back!", "success")

            # Redirect user to correct page
            response = make_response(redirect(next_url or url_for("dashboard.index")))

            if fido_token_form.remember.data:
                browser = MfaBrowser.create_new(user=user)
                Session.commit()
                response.set_cookie(
                    "mfa",
                    value=browser.token,
                    expires=browser.expires.datetime,
                    secure=True if URL.startswith("https") else False,
                    httponly=True,
                    samesite="Lax",
                )

            return response

    # Prepare information for key registration process
    session.pop("challenge", None)
    challenge = secrets.token_urlsafe(32)

    session["fido_challenge"] = challenge.rstrip("=")

    fidos = Fido.filter_by(uuid=user.fido_uuid).all()
    webauthn_users = []
    for fido in fidos:
        webauthn_users.append(
            webauthn.WebAuthnUser(
                user.fido_uuid,
                user.email,
                user.name if user.name else user.email,
                False,
                fido.credential_id,
                fido.public_key,
                fido.sign_count,
                RP_ID,
            )
        )

    webauthn_assertion_options = webauthn.WebAuthnAssertionOptions(
        webauthn_users, challenge
    )
    webauthn_assertion_options = webauthn_assertion_options.assertion_dict

    return render_template(
        "auth/fido.html",
        fido_token_form=fido_token_form,
        webauthn_assertion_options=webauthn_assertion_options,
        enable_otp=user.enable_otp,
        auto_activate=auto_activate,
        next_url=next_url,
    )
FIDO login middleware 2020-05-05 14:03:29 +02:00			`import json`
			`import secrets`
optimize import 2020-10-15 16:45:28 +02:00
optimize import 2020-05-07 17:49:29 +02:00			`import webauthn`
Add remember option to FIDO mfa path 2020-05-23 21:56:42 +02:00			`from flask import (`
			`request,`
			`render_template,`
			`redirect,`
			`url_for,`
			`flash,`
			`session,`
			`make_response,`
Implement rate limiting 2020-05-24 16:14:48 +02:00			`g,`
Add remember option to FIDO mfa path 2020-05-23 21:56:42 +02:00			`)`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`from flask_login import login_user`
			`from flask_wtf import FlaskForm`
Add remember option to FIDO mfa path 2020-05-23 21:56:42 +02:00			`from wtforms import HiddenField, validators, BooleanField`
FIDO login middleware 2020-05-05 14:03:29 +02:00
			`from app.auth.base import auth_bp`
			`from app.config import MFA_USER_ID`
optimize import 2020-05-07 17:49:29 +02:00			`from app.config import RP_ID, URL`
do not use flask-sqlalchemy - add __tablename__ for all models - use sa and orm instead of db - rollback all changes in tests - remove session in @app.teardown_appcontext 2021-10-12 14:36:47 +02:00			`from app.db import Session`
			`from app.extensions import limiter`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`from app.log import LOG`
Add remember option to FIDO mfa path 2020-05-23 21:56:42 +02:00			`from app.models import User, Fido, MfaBrowser`
FIDO login middleware 2020-05-05 14:03:29 +02:00

			`class FidoTokenForm(FlaskForm):`
			`sk_assertion = HiddenField("sk_assertion", validators=[validators.DataRequired()])`
Add remember option to FIDO mfa path 2020-05-23 21:56:42 +02:00			`remember = BooleanField(`
			`"attr", default=False, description="Remember this browser for 30 days"`
			`)`
FIDO login middleware 2020-05-05 14:03:29 +02:00

			`@auth_bp.route("/fido", methods=["GET", "POST"])`
Implement rate limiting 2020-05-24 16:14:48 +02:00			`@limiter.limit(`
			`"10/minute", deduct_when=lambda r: hasattr(g, "deduct_limit") and g.deduct_limit`
			`)`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`def fido():`
			`# passed from login page`
			`user_id = session.get(MFA_USER_ID)`

			`# user access this page directly without passing by login page`
			`if not user_id:`
			`flash("Unknown error, redirect back to main page", "warning")`
			`return redirect(url_for("auth.login"))`

			`user = User.get(user_id)`

add User.can_use_fido 2020-05-07 17:56:25 +02:00			`if not (user and user.fido_enabled()):`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`flash("Only user with security key linked should go to this page", "warning")`
			`return redirect(url_for("auth.login"))`

Auto activate WebAuthn authentication 2020-05-12 04:17:51 +02:00			`auto_activate = True`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`fido_token_form = FidoTokenForm()`

			`next_url = request.args.get("next")`

Add remember option to FIDO mfa path 2020-05-23 21:56:42 +02:00			`if request.cookies.get("mfa"):`
			`browser = MfaBrowser.get_by(token=request.cookies.get("mfa"))`
			`if browser and not browser.is_expired() and browser.user_id == user.id:`
			`login_user(user)`
remove the "Hi {name}" from email template 2021-01-11 10:22:39 +01:00			`flash(f"Welcome back!", "success")`
Add remember option to FIDO mfa path 2020-05-23 21:56:42 +02:00			`# Redirect user to correct page`
			`return redirect(next_url or url_for("dashboard.index"))`
Implement rate limiting 2020-05-24 16:14:48 +02:00			`else:`
			`# Trigger rate limiter`
			`g.deduct_limit = True`
Add remember option to FIDO mfa path 2020-05-23 21:56:42 +02:00
FIDO login middleware 2020-05-05 14:03:29 +02:00			`# Handling POST requests`
			`if fido_token_form.validate_on_submit():`
			`try:`
			`sk_assertion = json.loads(fido_token_form.sk_assertion.data)`
linting 2020-12-06 22:08:35 +01:00			`except Exception:`
Black formatted 2020-05-07 11:53:28 +02:00			`flash("Key verification failed. Error: Invalid Payload", "warning")`
fix exception handling 2020-05-05 23:13:01 +02:00			`return redirect(url_for("auth.login"))`
Black formatted 2020-05-07 11:53:28 +02:00
			`challenge = session["fido_challenge"]`
FIDO login middleware 2020-05-05 14:03:29 +02:00
			`try:`
Rename FIDO->Fido 2020-05-18 22:54:05 +02:00			`fido_key = Fido.get_by(`
more verify 2020-05-18 10:02:58 +02:00			`uuid=user.fido_uuid, credential_id=sk_assertion["id"]`
			`)`
			`webauthn_user = webauthn.WebAuthnUser(`
			`user.fido_uuid,`
			`user.email,`
			`user.name if user.name else user.email,`
			`False,`
			`fido_key.credential_id,`
			`fido_key.public_key,`
			`fido_key.sign_count,`
			`RP_ID,`
			`)`
			`webauthn_assertion_response = webauthn.WebAuthnAssertionResponse(`
			`webauthn_user, sk_assertion, challenge, URL, uv_required=False`
			`)`
remove debug code 2020-05-05 23:26:26 +02:00			`new_sign_count = webauthn_assertion_response.verify()`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`except Exception as e:`
reformat 2021-09-08 11:29:55 +02:00			`LOG.w(f"An error occurred in WebAuthn verification process: {e}")`
Black formatted 2020-05-07 11:53:28 +02:00			`flash("Key verification failed.", "warning")`
Implement rate limiting 2020-05-24 16:14:48 +02:00			`# Trigger rate limiter`
			`g.deduct_limit = True`
Auto activate WebAuthn authentication 2020-05-12 04:17:51 +02:00			`auto_activate = False`
Use try-else https://github.com/simple-login/app/pull/159/files/9b8340f3e0d49b68cf765b6c982d824c3f89a129#r421465450 2020-05-07 14:41:34 +02:00			`else:`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`user.fido_sign_count = new_sign_count`
do not use flask-sqlalchemy - add __tablename__ for all models - use sa and orm instead of db - rollback all changes in tests - remove session in @app.teardown_appcontext 2021-10-12 14:36:47 +02:00			`Session.commit()`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`del session[MFA_USER_ID]`

			`login_user(user)`
remove the "Hi {name}" from email template 2021-01-11 10:22:39 +01:00			`flash(f"Welcome back!", "success")`
FIDO login middleware 2020-05-05 14:03:29 +02:00
Add remember option to FIDO mfa path 2020-05-23 21:56:42 +02:00			`# Redirect user to correct page`
			`response = make_response(redirect(next_url or url_for("dashboard.index")))`

			`if fido_token_form.remember.data:`
			`browser = MfaBrowser.create_new(user=user)`
do not use flask-sqlalchemy - add __tablename__ for all models - use sa and orm instead of db - rollback all changes in tests - remove session in @app.teardown_appcontext 2021-10-12 14:36:47 +02:00			`Session.commit()`
Add remember option to FIDO mfa path 2020-05-23 21:56:42 +02:00			`response.set_cookie(`
			`"mfa",`
			`value=browser.token,`
			`expires=browser.expires.datetime,`
			`secure=True if URL.startswith("https") else False,`
			`httponly=True,`
			`samesite="Lax",`
			`)`

			`return response`
black format 2020-05-07 17:48:44 +02:00
typo 'infomation' 2020-05-07 11:31:42 +02:00			`# Prepare information for key registration process`
Black formatted 2020-05-07 11:53:28 +02:00			`session.pop("challenge", None)`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`challenge = secrets.token_urlsafe(32)`
Black formatted 2020-05-07 11:53:28 +02:00
			`session["fido_challenge"] = challenge.rstrip("=")`
FIDO login middleware 2020-05-05 14:03:29 +02:00
fido_model -> fidos 2020-05-18 22:55:38 +02:00			`fidos = Fido.filter_by(uuid=user.fido_uuid).all()`
more verify 2020-05-18 10:02:58 +02:00			`webauthn_users = []`
fido_model -> fidos 2020-05-18 22:55:38 +02:00			`for fido in fidos:`
more verify 2020-05-18 10:02:58 +02:00			`webauthn_users.append(`
			`webauthn.WebAuthnUser(`
			`user.fido_uuid,`
			`user.email,`
			`user.name if user.name else user.email,`
			`False,`
fido_model -> fidos 2020-05-18 22:55:38 +02:00			`fido.credential_id,`
			`fido.public_key,`
			`fido.sign_count,`
more verify 2020-05-18 10:02:58 +02:00			`RP_ID,`
			`)`
			`)`
black 2020-05-18 10:04:45 +02:00
FIDO login middleware 2020-05-05 14:03:29 +02:00			`webauthn_assertion_options = webauthn.WebAuthnAssertionOptions(`
Verify 2020-05-18 09:08:06 +02:00			`webauthn_users, challenge`
Black formatted 2020-05-07 11:53:28 +02:00			`)`
FIDO login middleware 2020-05-05 14:03:29 +02:00			`webauthn_assertion_options = webauthn_assertion_options.assertion_dict`

Black formatted 2020-05-07 11:53:28 +02:00			`return render_template(`
			`"auth/fido.html",`
			`fido_token_form=fido_token_form,`
			`webauthn_assertion_options=webauthn_assertion_options,`
			`enable_otp=user.enable_otp,`
Auto activate WebAuthn authentication 2020-05-12 04:17:51 +02:00			`auto_activate=auto_activate,`
reformat 2020-05-17 10:35:11 +02:00			`next_url=next_url,`
Black formatted 2020-05-07 11:53:28 +02:00			`)`