app-MAIL-temp/app/auth/views/mfa.py

import pyotp
from flask import (
    render_template,
    redirect,
    url_for,
    flash,
    session,
    make_response,
    request,
    g,
)
from flask_login import login_user
from flask_wtf import FlaskForm
from wtforms import BooleanField, StringField, validators

from app.auth.base import auth_bp
from app.config import MFA_USER_ID, URL
from app.extensions import db, limiter
from app.models import User, MfaBrowser


class OtpTokenForm(FlaskForm):
    token = StringField("Token", validators=[validators.DataRequired()])
    remember = BooleanField(
        "attr", default=False, description="Remember this browser for 30 days"
    )


@auth_bp.route("/mfa", methods=["GET", "POST"])
@limiter.limit(
    "10/minute", deduct_when=lambda r: hasattr(g, "deduct_limit") and g.deduct_limit
)
def mfa():
    # passed from login page
    user_id = session.get(MFA_USER_ID)

    # user access this page directly without passing by login page
    if not user_id:
        flash("Unknown error, redirect back to main page", "warning")
        return redirect(url_for("auth.login"))

    user = User.get(user_id)

    if not (user and user.enable_otp):
        flash("Only user with MFA enabled should go to this page", "warning")
        return redirect(url_for("auth.login"))

    otp_token_form = OtpTokenForm()
    next_url = request.args.get("next")

    if request.cookies.get("mfa"):
        browser = MfaBrowser.get_by(token=request.cookies.get("mfa"))
        if browser and not browser.is_expired() and browser.user_id == user.id:
            login_user(user)
            flash(f"Welcome back!", "success")
            # Redirect user to correct page
            return redirect(next_url or url_for("dashboard.index"))
        else:
            # Trigger rate limiter
            g.deduct_limit = True

    if otp_token_form.validate_on_submit():
        totp = pyotp.TOTP(user.otp_secret)

        token = otp_token_form.token.data.replace(" ", "")

        if totp.verify(token) and user.last_otp != token:
            del session[MFA_USER_ID]
            user.last_otp = token
            db.session.commit()

            login_user(user)
            flash(f"Welcome back!", "success")

            # Redirect user to correct page
            response = make_response(redirect(next_url or url_for("dashboard.index")))

            if otp_token_form.remember.data:
                browser = MfaBrowser.create_new(user=user)
                db.session.commit()
                response.set_cookie(
                    "mfa",
                    value=browser.token,
                    expires=browser.expires.datetime,
                    secure=True if URL.startswith("https") else False,
                    httponly=True,
                    samesite="Lax",
                )

            return response

        else:
            flash("Incorrect token", "warning")
            # Trigger rate limiter
            g.deduct_limit = True
            otp_token_form.token.data = None

    return render_template(
        "auth/mfa.html",
        otp_token_form=otp_token_form,
        enable_fido=(user.fido_enabled()),
        next_url=next_url,
    )
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00			`import pyotp`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`from flask import (`
			`render_template,`
			`redirect,`
			`url_for,`
			`flash,`
			`session,`
			`make_response,`
			`request,`
Implement rate limiting 2020-05-24 16:14:48 +02:00			`g,`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`)`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00			`from flask_login import login_user`
			`from flask_wtf import FlaskForm`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`from wtforms import BooleanField, StringField, validators`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00
			`from app.auth.base import auth_bp`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`from app.config import MFA_USER_ID, URL`
Implement rate limiting 2020-05-24 16:14:48 +02:00			`from app.extensions import db, limiter`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`from app.models import User, MfaBrowser`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00

			`class OtpTokenForm(FlaskForm):`
			`token = StringField("Token", validators=[validators.DataRequired()])`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`remember = BooleanField(`
			`"attr", default=False, description="Remember this browser for 30 days"`
			`)`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00

			`@auth_bp.route("/mfa", methods=["GET", "POST"])`
Implement rate limiting 2020-05-24 16:14:48 +02:00			`@limiter.limit(`
			`"10/minute", deduct_when=lambda r: hasattr(g, "deduct_limit") and g.deduct_limit`
			`)`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00			`def mfa():`
			`# passed from login page`
Fix user could go to MFA page directly 2020-01-03 23:42:35 +01:00			`user_id = session.get(MFA_USER_ID)`

			`# user access this page directly without passing by login page`
			`if not user_id:`
			`flash("Unknown error, redirect back to main page", "warning")`
redirect to login page instead 2020-01-03 23:50:34 +01:00			`return redirect(url_for("auth.login"))`
Fix user could go to MFA page directly 2020-01-03 23:42:35 +01:00
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00			`user = User.get(user_id)`

Fix user could go to MFA page directly 2020-01-03 23:42:35 +01:00			`if not (user and user.enable_otp):`
			`flash("Only user with MFA enabled should go to this page", "warning")`
redirect to login page instead 2020-01-03 23:50:34 +01:00			`return redirect(url_for("auth.login"))`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00
			`otp_token_form = OtpTokenForm()`
			`next_url = request.args.get("next")`

Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`if request.cookies.get("mfa"):`
			`browser = MfaBrowser.get_by(token=request.cookies.get("mfa"))`
Prevent OTP replay attacks by invalidating last token 2020-05-22 16:50:03 +02:00			`if browser and not browser.is_expired() and browser.user_id == user.id:`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`login_user(user)`
remove the "Hi {name}" from email template 2021-01-11 10:22:39 +01:00			`flash(f"Welcome back!", "success")`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00			`# Redirect user to correct page`
			`return redirect(next_url or url_for("dashboard.index"))`
Implement rate limiting 2020-05-24 16:14:48 +02:00			`else:`
			`# Trigger rate limiter`
			`g.deduct_limit = True`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00			`if otp_token_form.validate_on_submit():`
			`totp = pyotp.TOTP(user.otp_secret)`

Prevent OTP replay attacks by invalidating last token 2020-05-22 16:50:03 +02:00			`token = otp_token_form.token.data.replace(" ", "")`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00
Prevent OTP replay attacks by invalidating last token 2020-05-22 16:50:03 +02:00			`if totp.verify(token) and user.last_otp != token:`
remove redundant code 2019-12-27 17:36:35 +01:00			`del session[MFA_USER_ID]`
Prevent OTP replay attacks by invalidating last token 2020-05-22 16:50:03 +02:00			`user.last_otp = token`
			`db.session.commit()`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00
remove redundant code 2019-12-27 17:36:35 +01:00			`login_user(user)`
remove the "Hi {name}" from email template 2021-01-11 10:22:39 +01:00			`flash(f"Welcome back!", "success")`
Allow user to disable mfa for browser for 30 days 2020-05-22 16:14:52 +02:00
			`# Redirect user to correct page`
			`response = make_response(redirect(next_url or url_for("dashboard.index")))`

			`if otp_token_form.remember.data:`
			`browser = MfaBrowser.create_new(user=user)`
			`db.session.commit()`
			`response.set_cookie(`
			`"mfa",`
			`value=browser.token,`
			`expires=browser.expires.datetime,`
			`secure=True if URL.startswith("https") else False,`
			`httponly=True,`
			`samesite="Lax",`
			`)`

			`return response`
remove redundant code 2019-12-27 17:36:35 +01:00
			`else:`
			`flash("Incorrect token", "warning")`
Implement rate limiting 2020-05-24 16:14:48 +02:00			`# Trigger rate limiter`
			`g.deduct_limit = True`
Remove token when submitted value is incorrect 2020-05-22 14:35:37 +02:00			`otp_token_form.token.data = None`
Create auth/mfa page used by user who has enabled MFA 2019-12-27 15:34:10 +01:00
Black formatted 2020-05-07 11:53:28 +02:00			`return render_template(`
			`"auth/mfa.html",`
			`otp_token_form=otp_token_form,`
model - fido_enabled 2020-05-07 14:32:52 +02:00			`enable_fido=(user.fido_enabled()),`
reformat 2020-05-17 10:35:11 +02:00			`next_url=next_url,`
Black formatted 2020-05-07 11:53:28 +02:00			`)`